Most large enterprises in the UK still aren't managing risk through dedicated cyber-insurance policies and the few that do buy based on recommendations by legal rather than IT departments, an analysis by non-profit the Corporate Executive Programme (CEP) has found.
Given that cyber-insurance in the UK is still in its early stages, some of the numbers turned up aren't a complete surprise, for instance the fact that 40 percent of US respondents used dedicated cyber-insurance as against only 14 percent for the UK - greater US regulatory demands largely explain this difference.
Overall, 20 percent had dedicated cover, 25 percent self-insured (i.e. set aside money to pay for incidents), and 23 percent felt they had sufficient insurance for eventualities within their insurance general cover. That left a further 20 percent with no insurance at all and 12 percent who weren't sure.
Two questions emerge from this - what were the firms that bought dedicated insurance protecting themselves against and who made the judgement call?
Brand protection and possible loss of business from disruption were cited as important motivations, followed by cleanup costs and privacy and compliance obligations.
How likely an organisation was to be one of those with cyber-insurance in place seemed to depend on how centralised its risk-management function was. Curiously, the centralisers were less likely to have dedicated cyber-insurance (15 percent) than those using a decentralised model (31 percent) with the former preferring self-insurance.
"One possible explanation for this is that, where a centralised function exists, the organisation can look at risk to the whole business from an aggregated point of view. With a decentralised function, the picture is more fragmented," suggested CEP's report authors.
This implies that cyber-insurance take-up isn't necessarily always an entirely rational decision in that it can happen without all the information to hand.
Perhaps the biggest surprise of all was the negligible role of CISOs in buying insurance - not a single one of the sample organisations said this role made the decision to buy or not buy cyber-insurance.
In half of cases the decision was by legal departments, with a further quarter by executive boards or some kind of dedicated risk function team. Often infosec heads didn't even seem to know what insurance was in place at their organisations.
What does this all mean? Probably that cyber-insurance remains a boutique purchase, with many people inside large organisations knowing almost nothing about what cover they do or don't have. When it is used, cyber-insurance is still seen as a piece if financial engineering which means that security heads become peripheral figures.
"If the CISO is not taking part in the discussion or the decision about cyber insurance then the organization is bound to over-spend and under-spend on the other pieces of the puzzle providing an overall ineffective risk coverage for the organization," commented Amichai Shulman, CTO of security firm Imperva.
Sign up for CIO Asia eNewsletters.