One of a CISO’s key responsibilities is to fully understand the cyber risk that their organization faces and to plan a cybersecurity budget accordingly. Not all risk can or should be mitigated, and residual risk is never zero, so CISOs must determine:
- How much risk is acceptable
- How much risk should be mitigated
- How much risk can be transferred to a third party, such as cybersecurity insurance.
According to CYE’s latest report, however, number three can be problematic.
The report, “Inadequacies in Breach Insurance Coverage: A Data-Driven Gap Analysis,” shows that many organizations often underestimate the true cost of potential cyber incidents and mistakenly rely on cyber insurance to cover their losses.
What do CISOs need to know about this? Here are some key takeaways from the report:
1. Chances are, your company doesn’t have enough cyber insurance coverage.
The report, which analyzed 101 incidents across various sectors, found that:
- 80% of insured companies that suffered a data breach did not have sufficient cyber insurance coverage.
- The average coverage gap was 350%, meaning that more than three-quarters of the cyber incident was not covered. This translates to an average uncovered loss of $27.3 million.
- The coverage gap accounted for 9% of revenue when removing outliers. With outliers, the coverage gap amounted to 42% of revenue.
Bottom line? Cyber incidents are typically much more expensive than CISOs or insurers expect them to be.
2. Insurers typically will not cover hidden losses resulting from cyber incidents.
When considering cyber insurance, it’s important for CISOs to be aware of the limits: While insurance may cover a portion of the costs of regulatory fines, breach containment, and class-action lawsuits, it usually does not account for “hidden” losses.
These hidden losses may include:
- loss of intellectual property
- lost productivity
- business continuity impact
For example, Equifax’s stock performance dropped significantly after suffering a breach in 2017. A reduced stock value translates to direct losses for investors and damages the organization’s ability to raise capital through its stock. Stock performance is frequently also an indication of lost revenue.
3. The insurance gap trend has remained constant in recent years.
From 2004 through 2023, the insurance gap has remained in the tens or even hundreds of percents. Unfortunately, we are not seeing improved capabilities estimating breach costs as time progresses. This suggests that organizations are not accurately quantifying their cyber risk, and at the same time, insurers are not providing adequate cyber insurance coverage.
4. Accurate cyber risk quantification is the key to overcoming the cyber insurance gap.
To understand the potential cyber risk that organizations face and how much cyber insurance is necessary, CISOs must perform reliable and accurate cyber risk quantification.
To accomplish this, it’s important to:
- Focus on the most critical assets that are at the highest risk.
- Calculate asset value according to revenue, industry, historical data, and specific costs to the company including hidden costs.
- Prioritize mitigation based on cost to the organization, as well as the cost to reduce threats.
- Use a cyber risk quantification solution with a continuously updated breach calculator.
Cyber risk quantification with Hyver
CYE’s cyber risk quantification platform, Hyver, produces a risk calculation backed by data from numerous real-world security assessments. Its cost of breach model calculates exposure by considering the likelihood and impact of breaches, including hidden costs.
Because Hyver generates much of the data itself, without relying on the organization’s input as with other CRQ tools, the result is an objective and reliable calculation rather than a subjective assessment.
Using Hyver, CISOs can get a realistic view of the true potential cost of cyber risk and thus plan mitigation and cyber insurance accordingly.
Want to learn more about how Hyver accurately quantifies your cyber risk? Schedule a demo.
