Most organizations know they need insurance to cover risks to the organization’s property like fire or theft, or their risk of liability if someone is injured in the workplace. But a substantial portion of organizations do not carry coverage for data breaches despite numerous high-profile breaches. While many insurance companies offer cyber insurance, not all policies are created equal.
Why is buying cyber insurance difficult?
-
There is little standardization among competing policies; as a result, it is hard to comparison shop.
-
Policies’ exclusions often swallow coverage; as a result, assessing the value of a policy is difficult unless you have extensive experience with the types of liabilities that arise following data breaches.
-
Policies often cover security but not privacy risks.
Items to review when shopping for cyber insurance:
-
Do the sub-limits on coverage match the corresponding risks?
-
Does the policy include sub-retentions (sub-deductibles) that are unlikely to be reached?
-
Does exclusion prevent payment for the largest risks, e.g., charges that arise following a credit card breach, common theories alleged in class actions, etc.?
-
Is voluntary notification of affected consumers covered?
-
Will credit monitoring for affected consumers be covered?
-
Who does the insurer have on panel for legal representation, forensic investigations and/or crisis management?
The following provides a snapshot of information concerning cyber insurance.
19%
Percentage of companies that had cyber insurance in 2015.1
|
52%
Percentage of companies that believed their exposure to cyber risk would increase in the next 24 months.2
|
46%
Percentage of companies that did not plan to purchase cyber insurance in the next 24 months.3
|
[1] Ponemon, 2015 Cyber Impact Report, (April 2015), http://www.aon.com/attachments/risk-services/2015-Global-Cyber-Impact-Report-Final.pdf.
[2] Id.
[3] Id.
[View source.]