Cybersecurity insurance: it's complicated

by Paul Gillin

With computer security breaches practically an everyday occurrence, the appeal of insurance policies specifically designed to cover cyber risk has grown. More than 50 insurance companies now offer cyber coverage, according to the Financial Services Roundtable. Cyber insurance is a $2 billion industry, and the fastest-growing category of business insurance by a wide margin. But in an evolving market no two policies are alike, experts say, and that makes buying cyber insurance a risky proposition in itself.

Most businesses have general liability policies that insure against physical damage and personal injury, but few of those policies cover cybercrime. In fact, some insurers go so far as to specifically exclude data-related damages from their coverage.

The market is new, the costs are fuzzy, and there isn’t one broadly accepted metric of the cost of a data breach. Costs can vary widely depending upon the type of data stolen, the industry and even the size of victimized company. What’s more, new risks are emerging all the time. Two years ago, few people had even heard of “ransomware,” a new breed of attack that threatens to destroy victims’ data unless they pay the attacker. It’s one of the fastest-growing categories of cybercrime, but few policies cover it. Making things more complex is that attack victims are often reluctant to reveal the actual damages they suffered.

There is no “one size fits all” policy. Factors that insurers take into account include a company’s industry, its products and services, data risks and exposures, the quality of its IT security, privacy procedures, and revenues.

That’s why prospective buyers need to research their vulnerability and potential losses in order to specify in detail what the policy must cover. Consider such factors as the cost of notifying compromised individuals, customers’ replacement costs, identity theft protection, regulatory penalties, loss of market value, brand damage, legal fees, technology fixes, and management time lost dealing with the problem.

Think also of circumstances that are unique to your business. In the case of the Sony Pictures attack, embarrassment caused by leaked documents had far-reaching consequences, including damage to relationships that are critical to its business. How do you quantify those?

Beware of Exclusions

Some insurers won’t pay for legal fees incurred defending against regulatory penalties or for damage caused by a state-sponsored attack. With the source of attacks becoming increasingly difficult to trace, these disputes over details can tie up claims in the courts for years.

One important exclusion nearly all insurers enforce relates to sound security practices. Failure to use strong access controls, encryption, password protection, and even formal employee education can invalidate a policy or trigger a lawsuit. Management needs to buy into the fact that security is everyone’s business.

“Cyber issues remain marginalized within the IT department, rather than being incorporated into a broader enterprise risk management framework,” wrote Kenneth Corbin on “And that’s a problem.”

Finally, be prepared to write a big check. Costs can be influenced by the number and types of records involved, the appeal of the data to prospective attackers, the size of the company, and the underwriter’s estimate of the value of the information.

Insurance broker Cyber Data Risk Managers has a list of actual policy costs of customers it has insured. A quick look shows that when you go into the market for cyber insurance, be prepared to abandon all assumptions.