Building puzzle globe. Building puzzle globe. jannoon028/Shutterstock.com.

In the age of ransomware and phishing, many organizations are looking to cyberinsurance to mitigate their risk. But in Europe, the Middle East, and Africa—the EMEA region—such insurance is slow to catch on, according to Aon Risk Solutions' 2017 EMEA Cyber Risk Transfer Comparison Report.

The report looks at the results of a Ponemon Institute survey of over 500 cyber and enterprise risk managers in EMEA corporations conducted in late 2016. Over one-third of respondents disclosed they had a “material or significantly disruptive” breach or incident within the past 24 months, the average financial impact of which was $3.3 million. Around two-thirds, 65 percent, also said their risk of a cyberattack will likely increase over the next two years, while 22 percent predicted it will stay the same.

But when it came to adopting cyber insurance as a remedy, only 23 percent of respondents reported having plans in place. Among those that didn't, 46 percent had no plans to purchase cyber insurance over the next two years, while 54 percent did.

However, in comparing the results from the previous year's survey, Kevin Kalinich, global practice leader of cyber/network risk at Aon, noted that “the awareness of cyber risk and the intent to purchase cyber insurance both increased by about 40 percent.”

Kalinich said the discrepancy between the amount of EMEA companies who see higher cyber risk in the future and those who plan to buy cyber insurance is due to the fact that many EMEA companies didn't see the need to protect themselves financially against cyber risk during 2016. 

“EMEA is different than the U.S., where there have been a number of high-profile litigation situations that cost companies large amounts of money,” Kalinich said. He predicted, however, that more EMEA companies would get cyber insurance going forward, in light of the growing amount of European companies that have begun to suffer high financial losses connected to breaches in 2017, including shipping company DPEX Express, consumer goods company Reckitt Benckiser and the European offices of DLA Piper.

Aon predictions, though, may be optimistic, given that it helps its own clients find and purchase cyber insurance and has a vested interest in the cyber insurance industry.

Of those respondents who had cyber insurance in 2016, 56 percent noted their general liability limit was between $2 million and $20 million, while 25 percent had covered liabilities from $1 million to $5 million. What's more, 62 percent of those with cyber insurance called their coverage sufficient. Most of these insurance policies covered external attacks by cyber criminals (83 percent) or those by malicious or criminal insiders (76 percent).

Around half also covered the costs of communicating with regulators after an incident and of notifying data breach victims of the loss, while 49 percent covered third-party liabilities as well.

In addition to coverage, most cyber insurers provided their clients with access to cybersecurity forensics experts (84 percent) and access to legal or regulatory experts (74 percent). Such access to legal and regulatory professionals could prove helpful for EMEA companies given how unfamiliar many are with the risk they face under international laws and regulations: Only 30 percent of respondents, for example, were fully aware of the legal and economic consequences of an international data breach or security incident, while 46 percent were “somewhat aware” and 24 percent were “not aware.”

Kalinich, however, noted that this lack awareness is not connected with a lack of understanding of the general fines and legal liabilities under regulations such as the EU's upcoming General Data Protection Regulation (GDPR), but instead with how such liabilities will become reality.

“They don't have any actual examples of how the EU GDPR fines an entity,” he said.  “Why should an organization purchase insurance to cover something or have awareness of something that they don't have actuarial data for?”

Building puzzle globe. Building puzzle globe. jannoon028/Shutterstock.com.

In the age of ransomware and phishing, many organizations are looking to cyberinsurance to mitigate their risk. But in Europe, the Middle East, and Africa—the EMEA region—such insurance is slow to catch on, according to Aon Risk Solutions' 2017 EMEA Cyber Risk Transfer Comparison Report.

The report looks at the results of a Ponemon Institute survey of over 500 cyber and enterprise risk managers in EMEA corporations conducted in late 2016. Over one-third of respondents disclosed they had a “material or significantly disruptive” breach or incident within the past 24 months, the average financial impact of which was $3.3 million. Around two-thirds, 65 percent, also said their risk of a cyberattack will likely increase over the next two years, while 22 percent predicted it will stay the same.

But when it came to adopting cyber insurance as a remedy, only 23 percent of respondents reported having plans in place. Among those that didn't, 46 percent had no plans to purchase cyber insurance over the next two years, while 54 percent did.

However, in comparing the results from the previous year's survey, Kevin Kalinich, global practice leader of cyber/network risk at Aon, noted that “the awareness of cyber risk and the intent to purchase cyber insurance both increased by about 40 percent.”

Kalinich said the discrepancy between the amount of EMEA companies who see higher cyber risk in the future and those who plan to buy cyber insurance is due to the fact that many EMEA companies didn't see the need to protect themselves financially against cyber risk during 2016. 

“EMEA is different than the U.S., where there have been a number of high-profile litigation situations that cost companies large amounts of money,” Kalinich said. He predicted, however, that more EMEA companies would get cyber insurance going forward, in light of the growing amount of European companies that have begun to suffer high financial losses connected to breaches in 2017, including shipping company DPEX Express, consumer goods company Reckitt Benckiser and the European offices of DLA Piper.

Aon predictions, though, may be optimistic, given that it helps its own clients find and purchase cyber insurance and has a vested interest in the cyber insurance industry.

Of those respondents who had cyber insurance in 2016, 56 percent noted their general liability limit was between $2 million and $20 million, while 25 percent had covered liabilities from $1 million to $5 million. What's more, 62 percent of those with cyber insurance called their coverage sufficient. Most of these insurance policies covered external attacks by cyber criminals (83 percent) or those by malicious or criminal insiders (76 percent).

Around half also covered the costs of communicating with regulators after an incident and of notifying data breach victims of the loss, while 49 percent covered third-party liabilities as well.

In addition to coverage, most cyber insurers provided their clients with access to cybersecurity forensics experts (84 percent) and access to legal or regulatory experts (74 percent). Such access to legal and regulatory professionals could prove helpful for EMEA companies given how unfamiliar many are with the risk they face under international laws and regulations: Only 30 percent of respondents, for example, were fully aware of the legal and economic consequences of an international data breach or security incident, while 46 percent were “somewhat aware” and 24 percent were “not aware.”

Kalinich, however, noted that this lack awareness is not connected with a lack of understanding of the general fines and legal liabilities under regulations such as the EU's upcoming General Data Protection Regulation (GDPR), but instead with how such liabilities will become reality.

“They don't have any actual examples of how the EU GDPR fines an entity,” he said.  “Why should an organization purchase insurance to cover something or have awareness of something that they don't have actuarial data for?”