[Material-Incidents] No. 13

Cyber Insurance - 'May Not be Fully Insured'

Hey everyone,

The recent CrowdStrike incident got me thinking about how companies deal with incident response/disaster recovery. Specifically, from a risk management perspective, how many of these impacted companies will be making insurance claims for the business interruption they suffered? This idea led me to this week’s post on what can be gleaned about cyber insurance from 10-K data.

The cyber security insurance market is maturing and growing rapidly. This year, the market size will reach 20 billion dollars and is projected to grow to over 120 billion by 2032. Most data we have on cyber insurance coverage comes from surveys, market analyses, reports from industry groups and insurance companies. According to a recent survey from Sophos, only 50% of companies have a standalone insurance policy, while another 40% receive some coverage as part of a broader business insurance policy.

To date, there have been roughly 3600 10-Ks filed with an Item 1C. Around 28% (824) of filings mention cyber insurance coverage. This a much smaller subset than the 90% of respondents mentioned in the above survey. While there is no requirement to disclose insurance coverage in an Item 1C filing, insurance is incredibly salient to any risk management strategy, and as a result, I’d expect it to be referenced in most filings. Of the 824 filings that mention insurance coverage, only 30 provide detail into what their policy covers, and there was a broad range of topics (85 unique topics). Looking at item 1C filings, the sectors who are most forthcoming about their insurance coverage are Healthcare, Financial Services, Industrials, Consumer Cyclical, and Technology (see below).

Note: Only 785 of the 824 10-Ks referencing insurance included sector data

Another interesting theme from 10-k insurance callouts: ~10% of companies (84 in total) that mention insurance specify that they ‘may not be fully insured’ or their ‘coverage may not be sufficient’. Given the increasing cost of security breaches, I suspect that far more than 10% of companies consider themselves underinsured — especially when it’s taking companies increasingly more time and effort to obtain cyber insurance coverage and there are a growing list of exclusions that can void/deny claims.

When looking at companies that consider themselves potentially underinsured, one sector stood out: Technology. This sector represented only 11% of total filings containing insurance information but made up nearly 20% of the 83 companies who consider themselves potentially underinsured. Makes you think, what’s the driving force there? Any thoughts, send them my way!

Note: Only 77 of the 83 10-Ks referencing insurance included sector data


Thanks for reading,
Matt

Insurance Categories Addendum