Despite escalating threat, execs slow to go for cyber insurance

By Doug Bailey

U.S. business executives are more worried than ever about the risk of cyber threats and attacks, but according to a recent survey most of their companies are without detection and response plans and lack cyber insurance.

The 2024 Travelers Risk Index released Tuesday by The Travelers Companies, revealed that cyber risks have once again appeared as a top concern for corporate executives, marking the fourth time in six years that cyber threats have ranked highest among business decision-makers.

“Cyber threats are increasingly top of mind for business leaders because the operational and financial consequences of an attack can be devastating,” said Tim Francis, Enterprise Cyber Lead at Travelers. “What’s troubling is that despite this awareness, many organizations still aren’t taking the necessary steps to protect themselves.”

The annual survey, conducted since 2014, polls business insurance decision-makers across U.S. companies of all sizes and industries to assess the most pressing issues they face. This year, a record 62% of respondents reported being “very” or “somewhat” concerned about cyber risks, outpacing other major concerns such as medical cost inflation (59%), economic instability (59%), rising employee benefits costs, and the ongoing challenge of attracting and keeping talent (54%). Cyber ranked third on the list of business concerns last year behind medical cost inflation and broad economic uncertainty.

Nearly 30% without coverage

Despite the heightened awareness, nearly 30% of the more than 1,200 business leaders surveyed reported that their companies do not have cyber insurance coverage. However, the number of businesses opting for cyber insurance is growing – 65% of respondents said their organizations had a policy, up from 60% last year and a significant increase from just 39% in 2018.

The report also showed year-over-year gains across all company sizes: small businesses with cyber insurance increased to 41% (up from 34% in 2023), mid-sized companies grew to 77% (from 74%), and large enterprises climbed to 78% (from 72%).

The uptick in cyber insurance adoption correlates with a steady rise in cyberattacks. This year, 24% of respondents said their organizations had experienced a cyberattack—slightly up from 23% in 2023. More than half of these incidents occurred in the last year, marking the eighth time in nine years that cyber-related breaches or events have increased.

“On the one hand, I'm not surprised that it's the top concern,” said Francis. “Their responses jibe with what we're seeing for our own customers that cyber crimes and attacks are continuing on the rise and they really don't discriminate. We see claims against large companies, medium companies, small companies, virtually every industry, virtually every geography, so it doesn't surprise me. In fact, if there's a surprise, it's that it's not a hundred percent of respondents who are concerned.”

Cyber risks cited

Survey respondents cited several key cyber-related risks, with security breaches and unauthorized access to financial accounts or control systems topping the list (57%). Ransomware, a growing threat, was named by 54% of respondents and saw the sharpest increase, moving from the ninth most concerning cyber issue in 2023 into the top five this year.

“I think that speaks to just the impact that a ransomware event could have,” said Francis. “First, they're probably the most difficult to deal with and they're particularly some of the most difficult to deal with if you're not prepared. We're seeing an increase in ransomware but also an increase in the sophistication of some of these attacks.”

It’s not just the cost of paying the ransoms, Francis said. It also threatens business, income and operational losses.

“If your systems are corrupted, you're unable to manage your business, you're unable to service customers, and you're suffering business income loss,” he said. “And because your systems are down, you can't communicate with your teams. The plans that you thought you would be able to execute and communicate have been compromised because of this one attack.”

Rise in 'double ransom'

Francis said the industry is also seeing a rise in what he called “double ransom,” in which malware used in an attack will corrupt systems that are held hostage until the victimized company pays, unusually in cryptocurrency, for a decryption key.

“But what tends to happen more than it used to is that subsequently the threat actors will say, they exfiltrated a bunch of data, confidential information, personal employee and customer information and if you don't pay us an additional amount of money, we're going to publicly release that.”

A report by IBM Security and Ponemon Institute found that the average cost of a data breach in the US $9.44 million. The report noted that the pandemic spurred many businesses to adopt remote work, which increased cyber attack threats, but the same businesses often did not prioritize increased cyber security risks—particularly small and medium-sized businesses, which often lack money and technical ability to fortify data security.

A cyber insurance policy will typically cover the first- and third-party costs of a data breach. Policies also often give businesses access to risk management services as well as post-breach services such as expert privacy lawyers and a PR team.

“Many really lack the knowledge of what to do should an event take place,” said Francis. “And I think that's actually a place in which cyber insurance can really come to the fore, because it's not just offering a product that reimburses for financial loss but when there's a cyber event, that the resources that we have available to bring to bear are critical.”

The national survey of 1,202 U.S. business insurance decision-makers was conducted by Hart Research, commissioned by Travelers in June. Travelers is among the top 10 global insurance companies offering cyber insurance in a list that includes Chubb, AIG and The Hartford.

A dedicated microsite by Travelers showcases key findings from its Risk Index and offers deeper insights into the growing challenges facing businesses today.