Firms who need cyber insurance the most not getting insured - KPMG

Premiums are lower for companies that have reasonable controls, leading to unprotected firms being priced out

Companies that have the weakest cyber defences are the least interested in getting cyber insurance, according to Stephen Bonner, a partner in the information protection side of "big four" accountancy firm KPMG.

KPMG works alongside insurer AIG and law firms CMS Cameron McKenna and Norton Rose to offer clients a "data breach response service", which provides legal and forensic experts who can help to identify and fix security vulnerabilities, as well as deal with regulators and any affected data subjects.

Earlier this month, Jamie Bouloux, head of cyber products and liability at insurer AIG explained that demand for the service was already high in the US, and is steadily growing in Europe, particularly as a result of the proposed EU regulations which could include fines for data breaches of up to two per cent of global annual turnover - costing big corporations millions of pounds.

He dismissed the notion that organisations that take out cyber insurance will use it as an excuse to relax their internal data governance, stating that companies are more likely to raise cyber security awareness in the workplace and offer training to staff because it affects the pricing of the insurance policy.

Bonner believes that corporations that already have the defensive capabilities intact to thwart cyber attacks opt for cyber insurance as an extra layer of protection, but said that less mature companies are not willing to consider cyber insurance.

"It tends to be those that have taken all the reasonable steps, deployed the right controls and monitor their environment already, that go for insurance," he said.

"It's like the type of travellers that go on holiday with an expensive camera and valuables and ensure that they are insured, while those who need it more when they go on a skiing holiday or a stag do are probably the ones who would get the most benefit of getting insurance but don't," he added.

Bonner blames this on a lack of cyber security awareness in some of the smaller organisations, and suggested that the market will boom once awareness has been raised.

"Unless it becomes mandatory like car insurance - which it probably won't - it is unlikely to be the silver bullet that fixes the problem," he said. "Because premiums will be lower if you have reasonable controls, so those that don't have reasonable controls don't have insurance, so it tends to be the few [firms] that are good at the moment [that have cyber insurance] but we expect the market to expand rapidly as people become more aware."

But Bonner stated that it is only specific areas of data breach that cyber insurance can cover at the moment, with intellectual property (IP) harder to be insured for than personal data breaches.

"It is focused on personal data breaches by retailers mainly at the moment," he said. "It is more difficult to get insurance around your IP, so if you're making the next super vacuum cleaner and you need to keep the information safe from competition it is hard to insure, because it is hard to be certain that it was a cyber attack that leaked any details and allowed the competition to catch-up.

"The high-volume, relatively low-value individual events are what insurance is perfect for, because there is enough data to draw good conclusions about the risk and total cost," he added.