Despite Insurance, Companies Still at Risk for Financial Consequences of a Data Breach
A recent study shows that even though many companies have purchased insurance to protect themselves from the financial consequences of a data breach, gaps remain that must be closed.
The study, commissioned by Wells Fargo Insurance’s Technology, Privacy and Network Risk Practice, surveyed 100 U.S. middle market and large corporations and found 85% have purchased cyber security and data privacy insurance coverage to protect them against the financial loss of a data breach.
The most common reasons companies gave for purchasing this specialized coverage was to protect themselves against financial loss (78%), protect shareholders (64%) and prepare for data breaches (61%).
Nearly half of all companies have already filed an insurance claim due to a breach, and 96% of the respondents said they were satisfied with their coverage, the way the claim was handled and the fact they had enough to cover expenses and damages.
Even with this insurance, though, companies need to take further steps to minimize their risk, including creating better incident response plans. This conclusion was reached after the study measured companies’ levels of readiness to respond to a cyber security or data privacy incident, perceptions about their security and network vulnerabilities and challenges they faced when purchasing coverage.
“While companies recognize the need for cyber security and data privacy insurance, purchasing coverage is not a complete solution. It’s also important to recognize that other factors, including testing incident response plans, employee awareness training, and following established privacy policies, are all critical components of an overall risk management program,” said Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice.
Gaps in the cyber security programs include:
- Most companies have an incident response plan, but one in five has not tested the plan. One in ten companies implemented a plan without testing it beforehand, and 74% learned that they needed to revise their plan after an incident.
- One in ten companies does not have a plan in place to deal with cyber security and data privacy concerns, even though 35% of companies are concerned about privacy data leaks and 25% are concerned about hackers. Of those with plans, only 85% developed it with the help of a third-party vendor.
- Companies are not training their employees on data protection and cyber security threats. 27% of large companies do not have an employee awareness training program, and of those companies with fewer than 2,000 employees, 30% do not have a program.
Of the companies that have cyber and data privacy insurance, nearly half said they had problems finding a policy that fit their company’s needs. Another 42% said the cost of coverage was prohibitive.