Cyber insurance has become as essential to organizations as locks on their doors, yet too many businesses remain under-insured—leaving themselves dangerously exposed. In today's world of cyber chaos, who really wants to bet against the odds?
Let’s cut to the chase: without the right insurance coverage, businesses are at risk of suffering monumental losses, and under-insurance is like bringing a water gun to a wildfire!🔥
Consider this: if a warehouse costs $7 million to replace, its contents are worth $20 million, and the business interruption cost is around $3 million, it would make sense to carry a $30 million policy. P&C has worked this way for well over a century with solid results that benefit everyone. Most of these policies are revisited annually to keep coverage at a reasonable level – perhaps not 100%, but in most cases, at least 80-90% of the loss, so that any level of under-insurance could be properly borne via company reserves without adverse impact on the shareholders.
So why do companies cover only 1% to 5% of their actual cyber risk exposure? The same principle applies—proper insurance coverage is essential for staying afloat when disaster strikes.
In the case of cybersecurity, many organizations—like Equifax and Change Healthcare—are significantly under-insured. Their losses stretch into the billions, yet cyber coverage often turns out to be just $100 million or less. This exposes them to massive financial damage that could have been mitigated with proper coverage.
NOTE: We assembled quite a bit of this data once it is visible in the public domain, and most of them aggregate around a level of coverage that amounts to between 1% and 5% of the loss. In other words, about a 95% or greater exposure. This degree of loss exposure would be rare in nearly every other area of business risk – shipments, truck fleets, facilities, production machinery, finished goods – all of these are generally insured at a proper level, usually meaning a level at which the organization knows any under-insurance gaps that might remain and how they would fund them.
In the area of cyber insurance, organizations that have suffered losses quite often have not only material loss but often must post one-time charges against earnings and often for hundreds of millions – or even billions – in loss beyond their cyber insurance coverage. Still, many more organizations are simply put out of business.
Verizon’s Data Breach Investigation Report highlights a terrifying statistic: 60% of small businesses that suffer a cyberattack go out of business within six months. Why? Often, they don’t have the right protections—either technologically or financially. Without sufficient cyber insurance, a cyberattack can easily become a death sentence for a business.
Think of your home—what kind of security would you put in place if you knew losing it was a real possibility?
So why do companies under-insure their cyber risk? It often boils down to a lack of understanding. Unlike other business risks—like facilities or equipment—cyber risk is often poorly understood by management. They may not know just how exposed they are, and without this knowledge, they’re unlikely to carry the appropriate coverage.
In April 2023, ArxNimbus technology was used to run a risk profile on United Healthcare, the parent of Change Healthcare, showing a loss exposure in the billions. When the company suffered a breach in February 2024, the estimated losses came within 7.5% of the forecast. Had they understood their exposure earlier, they might have been better prepared.
For decades, cybersecurity has been treated as a technology problem and sophisticated tools have been developed to alert us to attacks and vulnerabilities. But here’s the catch: these technologies don’t quantify exposure in business terms. They don’t tell you what a breach will cost you in dollars and cents.
This is where cyber insurance comes into play, and yet many companies are still under-insuring their cyber risks.
In our work with Falcon Risk Services/HDI in refining an actuarial-driven cyber risk platform, we have found that most companies who seek cyber insurance are still aiming low. Shareholders, boards, trading partners and regulators expect that risks of all types are identified and addressed. Yet, in the case of cyber risks, underinsurance can result in some of the largest losses any organization could face. So the statement “We have cyber insurance in place” should really be expanded to “We have sufficient cyber insurance in place” – where the term “sufficient” should be far more than just 3-5% of the remaining (i.e., un-remediated) loss exposure the company is carrying.
Brokers have an invaluable role in advising their clients on these matters, and brokers have been limited up until now with the same gap in knowledge of the magnitude of potential cyber losses. We see a key inflection point in bringing the insured’s coverage much closer to their real exposure by getting a proper, actuarial-based analysis in place based on NIST standards, actual historical loss data, industry patterns, and the company’s own size, employee headcount, financials, and cybersecurity controls status.
By getting a proper understanding of cyber exposure – in dollar terms, the cyber insurance industry can become a much more potent force, along with remediation efforts and optimal cybersecurity strategies, in radically reducing the massive losses organizations face.