The 2019 Information Security and Cyber Risk Management Survey is out from Advisen, the leading information vendor for the insurance industry, and finds that risk managers now identify business interruption as a top risk along with the traditional leader, data breach – and that the insurance industry needs to catch up.
“In order to be of more value to buyers, the cyber policy’s business interruption coverage may need to evolve in sophistication, becoming more like the business interruption coverage available for other perils,” Advisen concludes.
Many survey respondents find cyber business-interruption policies “too generic”, a result, Advisen suggests, of insurers adapting policies mainly aimed to protect data holders. “Current coverage offered by the market is OK for retailers or others that customers avoid after a breach,” the report quotes one respondent, “(i.e., I’m not shopping at Target), but doesn’t really work for companies like mine — real estate, leases in place, so no immediate revenue drop, but may not be able to secure new tenants due to breach.”
Among business-continuity cyber risks, the surveyed risk managers ranked as the top five:
- Property damage or bodily injury arising out of a cyber event
- Access controls / privileged access
- Access to systems via interconnected devices or industrial control devices
- Access to systems via inadequately maintained patches
- Business interruption due to supplier cyber disruptions
With the RiskLens Platform, built on the FAIR model for quantifying cyber and operational risk, organizations make insurance purchase decisions informed by a clear picture of their top risks based on probable financial loss – in fact, the platform incorporates Advisen data to help risk analysts refine their estimates based on industry-wide data in addition to the organization’s own loss experience. This latest Advisen survey is a useful warning that the burden is on cyber insurance buyers to know their risks—and quantify before they buy.