UK organizations are far behind their US counterparts when it comes to implementing cyber insurance policies, with CISOs on both sides of the Atlantic disappointingly left out of key decisions, according to the Corporate Executive Programme.
The not-for-profit security group claimed in the latest of its CEP 2020 series of white papers that 40% of US respondents have some form of cybersecurity insurance, as opposed to just 13% of UK firms.
In the billion pound revenue range, organizations favored ‘self insurance’ (33%) – that is, setting aside their own money to deal with any potential losses or incidents.
However, firms in the million pound revenue range were most likely to seek cover through existing business insurance policies (32%).
Eset security specialist, Mark James, argued that many British firms still don’t perceive the UK as a major target for cyber-attacks, so the associated revenue hit is viewed as minimal.
“We in the UK have not adopted the lawsuit culture that exists in the States, so therefore the general practice seems to be: notify the public if we need to, say sorry, say we are working to stop it happening again, and then move along quickly and quietly,” he told Infosecurity.
However, it’s only a matter of time before the cyber-criminals look to target smaller countries, and UK firms realize that fines and lawsuits will follow if they are found to be negligent when it comes to cybersecurity.
“Companies will then have to consider insurance to protect them and have funds available to cover the impact it has on our daily lives,” he added. “Sadly it seems the only way to make companies listen is to target their profits.”
The CEP report also found that although 57% of responding organizations had a CISO position, only 20% of these took out cyber insurance.
In no single organization was the CISO responsible for cyber insurance purchasing. Instead legal (50%), head of risk (25%), or a board room exec (25%) made the decision.
Imperva CTO Amichai Shulman argued that if the CISO isn’t involved in the purchasing decision then the organization will either over-spend or under-spend, “providing an overall ineffective risk coverage for the organization.”
“For example, if the cyber insurance policy covers certain aspects of the risk, given the existing posture of existing systems, the CISO is better off spending additional funds on the security of new systems not covered by the policy rather than existing ones,” he added.
“Another example: if the costs of investigating a breach are covered by the policy then the CISO should limit the funding of projects aimed at making this task more cost effective.”