The cyber insurance takeup rate spiked in 2018, up 10 percentage points from 2017, according to the eighth annual Information Security and Cyber Risk Management survey released by Zurich North America and Advisen Ltd. The results showed the largest year-over-year increase since the first year of the study.
The survey identified two factors that have influenced cyber risk management practices over the past year: regulatory changes such as the Europe Union’s (EU) General Data Protection Regulation (GDPR); and business continuity risks such as the Dyn distributed denial of service (DDoS) attack, WannaCry and NotPetya events.
A key takeaway, however, is the divergence between the experiences of large companies, defined as firms with more than $1 billion in revenue, and middle market companies, defined as firms with less than $1 million in revenue.
For example, according to the survey, nearly twice as many large companies made changes to their cybersecurity controls as a result of GDPR compared with their middle market counterparts. And while recent high-profile business continuity events were a wake-up call for all businesses, the survey revealed large companies view them as a greater concern.
Speakers at Advisen’s Cyber Risk Insights Conference in New York last week discussed how, and why, the sophistication regarding risk mitigation and risk transfer continues to vary by company size.
One reason middle market companies trail behind is “they don’t have the financial wherewithal” to implement the necessary programs, said Dena Cusick, national practice leader at USI Insurance Services.
Kevin Kalinich, global practice leader at Aon Commercial Risk Solutions, agreed that middle market companies often have limited resources and different priorities than large companies. “The insurance industry has gotten better [at providing solutions for middle market companies],” said Kalinich. “Now some carriers are packaging services. That has resonated with middle market companies because it provides a valuable benefit other than just risk transfer.”
One example of the difference in risk mitigation between large and middle market companies is with regards to supply chain risk. The survey revealed twice as many middle market companies as large companies said cyber supply chain risk had not affected their vendor management controls.
According to Chris de Wolfe, director of risk management at Mars Corporation, this may have a lot to do with the influence large companies have over their vendors. “It’s easier for us because we are a large company. If you are a middle market company you don’t have has much leverage [over the vendors in your supply chain].”
Taken as a whole, middle market and large companies have different preferences and experiences throughout the cybersecurity value chain.
“There remains a great need, particularly within the middle market, for education and guidance in developing cyber risk management programs and improving cyber resiliency,” said Michelle Chia, head of specialty E&O for Zurich North America. “The industry is well-positioned to understand those needs and to help develop strategic cyber risk mitigation and response initiatives for the middle market, and to demonstrate the benefits of cyber insurance policies.”
Editor Josh Bradford can be reached at firstname.lastname@example.org