Just How Many Cyber Policies Are Floating Around Out There? (Not Nearly As Many As You Are Being Told)
Sometimes there are questions for which nobody knows the answer. And sometimes there are questions to which I know the answer but wish I didn’t – like how many Girl Scout Thin Mint cookies I ate last night.
One question in the Tootsie Roll Tootsie Pop category is how wide-spread are cyber or data breach insurance policies? There is one answer to this question that has been put forth: 31% of U.S. companies have such policies. This number comes from a 2013 report prepared for Experian – the people in the credit score and identity theft protection business. This number has been cited in articles appearing in The Financial Times (February 21, 2014) and The Wall Street Journal (December 3, 2013) and countless other stories on the web.
Looking at another source, an unnamed insurer participant, at a U.S. Department of Homeland Security cyber insurance workshop in October 2012, stated that only about 25% of companies have a cyber policy. A Law360 article on February 21st cited to a cyber lawyer’s conclusion that 25% of the property – casualty market has purchased cyber coverage. According to the Insurance Information Institute, the net written premium in 2012 for the property-casualty section of the insurance industry (auto, home and commercial) totaled $456 billion.
If Experian’s 31% conclusion is the right number, then of the pizza place, bagel store and burrito shop in the strip center near my house, one of these three businesses has an insurance policy to protect against the various risks of a data breach or cyber attack. The moon is more likely made of cheese. I decided to take a closer look at the Experian report -- in other words, the report itself and not the media portrayals of it. My conclusion: The Experian report has led to false impression about the current take-up rate of cyber or data breach insurance policies.
According to the U.S. Census Bureau’s 2011 figures (the latest I could find on their website), there are about 5.7 million firms in the United States. To keep it simple, using six million firms for 2013 (which seems reasonable), then a 31% take-up rate means that two million of them have cyber polices. The Financial Times cited to a June 2013 report from a risk consultant that estimated that the annual gross written premium for cyber policies was $1.3 billion. Doing some back of the envelope math means that the average annual premium for each of these two million cyber policies is $650. But according to the report prepared for Experian, of the 43% of respondents that have no plans to purchase a cyber policy, 52% cited premiums being too high as a reason. Not to mention that an average premium of $650 -- about what I pay per year for veterinary insurance for Barney my dog -- seems low considering how hard many insurers are working to get a toe-hold on the cyber insurance market.
My sense is that, if 31% is the right number of companies that have a cyber policy, it is 31% of a certain type of company and not 31% of ALL U.S. companies across the board, as is being portrayed. Let’s take a look at the Experian report and how it arrived at 31%.
First, the Experian report – “Managing Cyber Security as a Business Risk: Cyber Insurance in the Digital Age” (August 2013) -- is really one that was independently prepared by Ponemon Institute LLC for Experian. According to the report, Ponemon is “dedicated to independent research and education that advances responsible information and privacy management practices within business and government. Our mission is to conduct high quality, empirical studies on critical issues affecting the management and security of sensitive information about people and organizations.” For simplicity, I’ll refer to the Ponemon report as the Experian report.
How large was the sample size for the survey that was conducted to reach the 31% conclusion? Ponemon started with a random sample of 18,829 “experienced individuals involved in their companies’ cyber security risk mitigation and risk management activities in various-sized organizations in the United States.” 957 respondents completed the survey. After screening and reliability checks removed 319 surveys, the final sample was 638 surveys.
Of these 638 surveys, a whopping 86% were from companies with a global head count of 500 or more employees. Compare this with the percentage of all U.S. firms that have 500 or more employees, which is three-tenths of one percent according to the census folks. U.S. companies with fewer than twenty employees make up 90% of the total. Given the gargantuan difference between the size of the Experian companies, and U.S. companies in general, it is inconceivable that 31% of these very small companies – many probably just trying to make ends meet -- have a cyber policy. Any comparison between these two groups is apples to washing machines.
The Ponemon survey asked if the respondent company, over the past 24 months, had experienced one or more cyber attacks that infiltrated the company’s networks or enterprise systems resulting in the loss or theft of 1,000 or more records. The number of respondents that answered yes was 56%. Of these companies, 60% pegged their out of pocket cost of the attacks at between $1 million and $25 million. So it is hardly a surprise that, of the companies that experienced a data breach, 70% said that such breach increased their interest in purchasing cyber insurance.
You do not need a degree from MIT to see that it is very hard to say that 31% of ALL U.S. companies have cyber policies, as the Experian report’s conclusion has been described. Not even close. The actual across the board number has to be many, many multiples fewer. All that can be said about the Experian report is that 31% of mostly the largest companies in the country, half of which have already experienced a data breach, have a cyber policy.
None of this is to say that there is anything wrong with the Experian report. Its conclusion, that 31% of huge companies, half of which have already been stung by a data breach, have a cyber policy, sounds entirely reasonable. The authors of the Experian report are quick to point out that there are limitations in it. Among other caveats, they state that “[t]here are inherent limitations to survey research that need to be carefully considered before drawing inferences from findings.”
The problem with the Experian report is not its conclusion, but that such conclusion has been applied too broadly and then treated as if it were written on stone tablets. It reminds me of Y2K. Someone was the first to say that airplanes may fall out of the sky at the stroke of midnight on January 1, 2000. That possibility was then continuously repeated in article after article after article addressing the Year 2000 risks.
While the number of U.S. companies that have a cyber policy may be elusive, this much can be said with certainty. Based on the recent data breach at Target, and other widely-reported breaches, the number of policies can only go in one direction. The Target data breach was the equivalent of ten free Super Bowl ads for insurers selling cyber policies.
For additional information regarding this alert, please contact Randy J. Maniloff (firstname.lastname@example.org; 215.864.6311).