As insurers vie for business, there are fewer exclusions than there used to be in these policies, but they still exist and can often surprise policy-holders who don't read the fine print. Goldstein says standard exclusions might include patent infringement; code infringement; return of fees (disgorgement); or costs and expenses incurred to replace, upgrade, update, improve or maintain a system. Insurers also might exclude coverage for situations where information is compromised because an employee used unencrypted media, like taking their client list home on a data stick, or where a disgruntled employee absconded with access codes or personal information. And the perhaps the qualification giving most pause, the majority of policies set firm timeframes in which to report a breach, even though many take weeks or months to discover. Among the 30 percent of Ponemon study respondents who said they had no interest in purchasing a cyber insurance policy, one of the key issues was the concerns about too many exclusions, restrictions and uninsurable risks.
Not if, but when
Just as IT security professionals have come to learn that the likelihood of a breach is less about if it will happen and more a question of when, the same could potentially be said for securing cyber liability insurance – it's not a question of if most organizations will opt to purchase it, just when they will. The concern is no longer that a major breach will cost a lot or drive away customers or give the company a bad reputation. Rather, it has become do or die for many companies given the financial and legal aftermath.
“The benefit simply comes down to risk transference,” says Lysa Myers, security researcher at ESET, a global IT security company. “In a time when the risk of a breach grows faster than most companies' ability to defend against them, transferring the financial risk with insurance coverage can give companies enough cushion in order to survive the hit caused by such an event.”
Cyber insurance can help companies pay for the expenses incurred in a cyber liability lawsuit and potential indemnification costs, says Goldstein. In addition, it can help cover many of the costs associated with a data breach, such as notification and credit-monitoring expenses or the cost to conduct a forensic examination to help determine the cause of the breach, he adds. “Executives should also consider the importance of risk management and loss prevention tools that are offered by some insurers as well,” Goldstein adds. For instance, Chubb provides its cyber insurance customers with access to eRisk Hub, an online site that provides a template to help develop an incident response plan, access to a data breach attorney and recent articles, whitepapers and other risk management tools.
Indeed, the preparation and due diligence that goes into the underwriting process often forces organizations to take a closer look at their own network security policies and practices, which in turn can lead to becoming more secure. In fact, 62 percent of organizations in the Ponemon study believe obtaining cyber insurance has made their company better prepared to deal with security threats.
“Nothing will totally mitigate our risks here,” says Deshuk. “But these policies help and they are going to grow.”