Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But a substantial portion of organizations do not carry coverage for data breaches despite numerous high-profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal.
Why is buying cyber insurance difficult?
- There is little standardization among competing policies; as a result, it is hard to comparison shop.
- Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
- Policies often cover security but not privacy risks.
Items to review when shopping for cyber insurance:
- Do the sub-limits on coverage match the corresponding risks?
- Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
- Does exclusion prevent payment for the largest risks, e.g., charges that arise following a credit card breach, common theories alleged in class actions, etc.?
- Is voluntary notification of affected consumers covered?
- Will credit monitoring for affected consumers be covered?
- Who does the insurer have on panel for legal representation, forensic investigations and/or crisis management?
The following provides a snapshot of information concerning cyber insurance.
Percentage of companies that had cyber insurance in 2015.1
Percentage of companies that believed their exposure to cyber risk would increase in the next 24 months.2
Percentage of companies that did not plan to purchase cyber insurance in the next 24 months.3