The Real Consequences of Being Under-Insured

Cyber insurance has become as essential to organizations as locks on their doors, yet too many businesses remain under-insured—leaving themselves dangerously exposed. In today's world of cyber chaos, who really wants to bet against the odds?

Let’s cut to the chase: without the right insurance coverage, businesses are at risk of suffering monumental losses, and under-insurance is like bringing a water gun to a wildfire!🔥

Why Under-Insurance is a Big Deal:
Would You Insure a $30 Million Warehouse for $1 Million?

Consider this: if a warehouse costs $7 million to replace, its contents are worth $20 million, and the business interruption cost is around $3 million, it would make sense to carry a $30 million policy. P&C has worked this way for well over a century with solid results that benefit everyone. Most of these policies are revisited annually to keep coverage at a reasonable level – perhaps not 100%, but in most cases, at least 80-90% of the loss, so that any level of under-insurance could be properly borne via company reserves without adverse impact on the shareholders.

So why do companies cover only 1% to 5% of their actual cyber risk exposure? The same principle applies—proper insurance coverage is essential for staying afloat when disaster strikes.

Real-World Example: Equifax and Change Healthcare
When Under-Insurance Hits Hard

In the case of cybersecurity, many organizations—like Equifax and Change Healthcare—are significantly under-insured. Their losses stretch into the billions, yet cyber coverage often turns out to be just $100 million or less. This exposes them to massive financial damage that could have been mitigated with proper coverage.

NOTE: We assembled quite a bit of this data once it is visible in the public domain, and most of them aggregate around a level of coverage that amounts to between 1% and 5% of the loss. In other words, about a 95% or greater exposure. This degree of loss exposure would be rare in nearly every other area of business risk – shipments, truck fleets, facilities, production machinery, finished goods – all of these are generally insured at a proper level, usually meaning a level at which the organization knows any under-insurance gaps that might remain and how they would fund them. 

What’s at Stake for Your Business:
Cyber Attacks Can Break the Bank

In the area of cyber insurance, organizations that have suffered losses quite often have not only material loss but often must post one-time charges against earnings and often for hundreds of millions – or even billions – in loss beyond their cyber insurance coverage. Still, many more organizations are simply put out of business.

Verizon’s Data Breach Investigation Report highlights a terrifying statistic: 60% of small businesses that suffer a cyberattack go out of business within six months. Why? Often, they don’t have the right protections—either technologically or financially. Without sufficient cyber insurance, a cyberattack can easily become a death sentence for a business.

Think of your home—what kind of security would you put in place if you knew losing it was a real possibility?

Why Companies Remain Under-Insured:
Knowledge Gaps in Cyber Risk Exposure

So why do companies under-insure their cyber risk? It often boils down to a lack of understanding. Unlike other business risks—like facilities or equipment—cyber risk is often poorly understood by management. They may not know just how exposed they are, and without this knowledge, they’re unlikely to carry the appropriate coverage.

The United Healthcare Case Study:
What Happens When You Don’t Know Your Exposure

In April 2023, ArxNimbus technology was used to run a risk profile on United Healthcare, the parent of Change Healthcare, showing a loss exposure in the billions. When the company suffered a breach in February 2024, the estimated losses came within 7.5% of the forecast. Had they understood their exposure earlier, they might have been better prepared.

 The Gap Between Cybersecurity and Insurance:
Technology Can’t Solve Everything

For decades, cybersecurity has been treated as a technology problem and sophisticated tools have been developed to alert us to attacks and vulnerabilities. But here’s the catch: these technologies don’t quantify exposure in business terms. They don’t tell you what a breach will cost you in dollars and cents.

This is where cyber insurance comes into play, and yet many companies are still under-insuring their cyber risks.

Bridging the Gap with Actuarial Data:
Know The Real Exposure—In Dollars

In our work with Falcon Risk Services/HDI in refining an actuarial-driven cyber risk platform, we have found that most companies who seek cyber insurance are still aiming low. Shareholders, boards, trading partners and regulators expect that risks of all types are identified and addressed. Yet, in the case of cyber risks, underinsurance can result in some of the largest losses any organization could face. So the statement “We have cyber insurance in place” should really be expanded to “We have sufficient cyber insurance in place” – where the term “sufficient” should be far more than just 3-5% of the remaining (i.e., un-remediated) loss exposure the company is carrying.

Brokers have an invaluable role in advising their clients on these matters, and brokers have been limited up until now with the same gap in knowledge of the magnitude of potential cyber losses. We see a key inflection point in bringing the insured’s coverage much closer to their real exposure by getting a proper, actuarial-based analysis in place based on NIST standards, actual historical loss data, industry patterns, and the company’s own size, employee headcount, financials, and cybersecurity controls status.

Final Thoughts: Don’t Wait Until It’s Too Late:
The Cost of Under-Insurance is Too High to Ignore

By getting a proper understanding of cyber exposure – in dollar terms, the cyber insurance industry can become a much more potent force, along with remediation efforts and optimal cybersecurity strategies, in radically reducing the massive losses organizations face.