The FINANCIAL — In a recent study of 100 U.S. middle market companies and large corporations, 85% say they have purchased cyber security and data privacy insurance coverage to protect against financial loss, while nearly half (44%) have already filed an insurance claim as a result of a breach. However, while more companies are purchasing cyber security and data privacy insurance, some gaps still remain in incident response plans, making those companies vulnerable to the financial consequences of a data privacy incident, according to the study, commissioned by Wells Fargo Insurance’s Technology, Privacy and Network Risk Practice (TPN), part of Wells Fargo & Co.
Examining middle market companies and large corporations with $100 million or more in annual revenue, the study looked at companies from a variety of industries ranging from manufacturing to educational services. It measured the companies’ current levels of readiness to respond to a cyber security or data privacy incident, perceptions of their own security and network vulnerabilities, and challenges faced when purchasing coverage.
“While companies recognize the need for cyber security and data privacy insurance, purchasing coverage is not a complete solution. It’s also important to recognize that other factors, including testing incident response plans, employee awareness training, and following established privacy policies, are all critical components of an overall risk management program,” said Dena Cusick, national practice leader with Wells Fargo Insurance’s Technology, Privacy and Network Risk National Practice. “We work with our customers to address any gaps and ensure they have a robust and comprehensive network security solution that can best protect their employees and business.”
Not surprisingly, the most common reasons given for purchasing this specialized coverage were to protect the business against financial loss (78%), protect shareholders (64%), and help prepare for data privacy events (61%). Of those that filed an insurance claim, 96% reported they were satisfied with their coverage, how the claim was handled, and that their policy had enough coverage for expenses and damages.
Despite the fact that many of these companies have purchased coverage, the study identified key gaps in their cyber security programs:
Companies are not testing their plans – Despite that most companies surveyed have an incident response plan, one in five have not tested their plan. One in 10 companies that had to implement their plan did so without testing it beforehand, with three in four (74%) saying they needed to revise their plan following the incident.
Leaked data is the top cyber security and data privacy concern, yet one in 10 companies does not have an existing incident response plan – 35% of companies are concerned about private data leaks, while 25% are concerned about hackers. Of those companies that have a plan, (85%) developed it with the help of a third-party vendor.
Some companies still need to develop and train their employees on data protection and cyber security‡ threats, and develop a corporate privacy policy – The study found that 27% of the companies do not have an employee awareness training program for cyber security and data privacy; this increases to more than 30% for companies with fewer than 2,000 employees. Of those companies that do have training programs, such as annual certification, affirmative acknowledgement, and repercussions for failure to comply, 93% require training for all employees. Additionally, 12 % of companies do not have a corporate privacy policy, but of those that do have one, majority (90%) say they are in compliance with the policy.
For almost half of the companies that have cyber and data privacy insurance, the biggest challenges they faced when purchasing the coverage was finding a policy to adequately fit their company’s needs (47%) or the cost (42%) — highlighting the need for an experienced broker to help with this process.
Wells Fargo’s Technology, Privacy and Network Risk National Practice (TPN) helps customers with professional liability, technology errors and omissions, media liability, network security, and privacy related lines of coverage. TPN brokers provide consultative services, market negotiations, policy analysis and placement, policy administration, claims advocacy services, and assist with loss control initiatives.
Discussion about this post