Most large enterprises in the UK still aren't managing risk through dedicated cyber-insurance policies and the few that do buy based on recommendations by legal rather than IT departments, an analysis by non-profit the Corporate Executive Programme (CEP) has found.
Given that cyber-insurance in the UK is still in its early stages, some of the numbers turned up aren't a complete surprise, for instance the fact that 40 percent of US respondents used dedicated cyber-insurance as against only 14 percent for the UK - greater US regulatory demands largely explain this difference.
Overall, 20 percent had dedicated cover, 25 percent self-insured (i.e. set aside money to pay for incidents), and 23 percent felt they had sufficient insurance for eventualities within their insurance general cover. That left a further 20 percent with no insurance at all and 12 percent who weren't sure.
Two questions emerge from this - what were the firms that bought dedicated insurance protecting themselves against and who made the judgement call?
Brand protection and possible loss of business from disruption were cited as important motivations, followed by cleanup costs and privacy and compliance obligations.
How likely an organisation was to be one of those with cyber-insurance in place seemed to depend on how centralised its risk-management function was. Curiously, the centralisers were less likely to have dedicated cyber-insurance (15 percent) than those using a decentralised model (31 percent) with the former preferring self-insurance.
"One possible explanation for this is that, where a centralised function exists, the organisation can look at risk to the whole business from an aggregated point of view. With a decentralised function, the picture is more fragmented," suggested CEP's report authors.
This implies that cyber-insurance take-up isn't necessarily always an entirely rational decision in that it can happen without all the information to hand.
Perhaps the biggest surprise of all was the negligible role of CISOs in buying insurance - not a single one of the sample organisations said this role made the decision to buy or not buy cyber-insurance.
In half of cases the decision was by legal departments, with a further quarter by executive boards or some kind of dedicated risk function team. Often infosec heads didn't even seem to know what insurance was in place at their organisations.
What does this all mean? Probably that cyber-insurance remains a boutique purchase, with many people inside large organisations knowing almost nothing about what cover they do or don't have. When it is used, cyber-insurance is still seen as a piece if financial engineering which means that security heads become peripheral figures.
"If the CISO is not taking part in the discussion or the decision about cyber insurance then the organization is bound to over-spend and under-spend on the other pieces of the puzzle providing an overall ineffective risk coverage for the organization," commented Amichai Shulman, CTO of security firm Imperva.
The problem was less about which job function was behind the decision to buy cyber-insurance than how it was used should the day come to claim on it.
"For example, if the cyber insurance policy covers certain aspects of the risk, given the existing posture of existing systems - the CISO is better off spending additional funds in the security of new systems (not covered by the policy) rather than existing ones," he said
"Another example, if the costs of investigating a breach are covered by the policy than CISO should limit the funding of projects aimed at making this task more cost effective."
CEP said it believed that the forthcoming EU General Data Protection Regulation (GDPR), due to be finalised by the end of this year, would have some impact on interest in cyber-insurance not least because it is expected to mandate potentially large fines for breaches. However, that remained a long-term influence.
The UK Government has a stated policy of encouraging large and small firms to use cyber-insurance as a way of driving home security best practice.