Cyber Insurance May Create False Sense of Security Among Senior Financial Execs: FM Global Survey

Seven in 10 senior financial executives at the world’s largest companies believe their insurer would cover most or all of the losses their company would incur in a cyber attack. Many of the losses they foresee, however, are rarely covered by insurance.

Source: FM Global | Published on July 31, 2019

Online internet secure payment and network safe communication and banking concept. Person pay in web via computer. Locks and padlocks on diagram.

In a study of more than 100 chief financial officers (CFOs) and other senior financial executives, commissioned by FM Global, one of the world’s largest commercial property insurers, 45 percent said they expected their insurer will cover “most” related losses from a cyber security event, and 26 percent said they expected their carrier will cover “all” related losses.

But most of the effects these financial executives expect to experience in a substantial cyber security event aren’t typically covered by insurance policies, according to FM Global. These effects include:

  • Degradation of the company’s brand/reputation (46 percent said this was a likely effect of a cyber security event)
  • Increased scrutiny from the investment community (40 percent)
  • Decline in revenue/earnings (38 percent)1
  • Introduction of regulatory compliance problems (35 percent)

Decline in market share (24 percent)

Decline in share price (24 percent)

There was one more choice: “New costs to mitigate the loss,” cited by 53 percent of senior financial executives. Indeed, many new costs—including expenses related to restoring data or equipment—would be covered by first-party cyber insurance or property insurance, according to FM Global. Litigation and customer notification costs would be covered by third-party insurance. But the rest of the listed costs in the study would likely have to be absorbed by the victimized company. Moreover, more than half said financial recovery from a substantial cyber security event would take months to years.

Consider total financial loss exposure

“As essential as cyber insurance is, the findings indicate financial executives may be deriving a false sense of security from it,” said Kevin Ingram, executive vice president and chief financial officer at FM Global. “While insurance is an essential part of the risk management formula, there are losses related to a cyber attack that insurance cannot cover—like damage to a company’s reputation, lost market share, missed growth opportunities, decreased valuation, and losses stemming from increased cost of capital. That’s why we’re so committed to helping our clients prevent loss in the first place.”

FM Global takes an engineering approach to identifying cyber risk and preventing property-related loss. Its cyber risk assessment tool identifies addressable vulnerabilities in physical security, information security, industrial controls and building automation systems.


The research was conducted by CFO Publishing based on the responses of 105 CFOs and other financial executives at companies with worldwide revenue of US$1 billion or higher, all of whom identified themselves as the senior-most financial executive in their organization.

About FM Global
Established nearly 200 years ago, FM Global is a mutual insurance company whose capital, scientific research capability and engineering expertise are solely dedicated to property risk management and the resilience of its client-owners. These owners, who share the belief that the majority of property loss is preventable, represent many of the world’s largest organizations, including one of every three Fortune 1000 companies. They work with FM Global to better understand the hazards that can impact their business continuity in order to make cost-effective risk management decisions, combining property loss prevention with insurance protection.

 1Although insurance would be expected to cover lost revenue during the span of a disruption, lost revenue related to lost growth, market share, brand equity, etc., after resumption of operations would not normally be covered.