Editor's Note: This piece was created for ISMG's Security Agenda magazine, distributed at RSA Conference 2013.
Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyber-insurance to cover potential costs remains relatively rare.
Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties.
"Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides," says David Bradford, who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society (see Coming of Age of Cyber Insurance).
"So far, that's been a little bit of a difficult sell for brokers," Bradford says. "Partially it's because it's a new product with brokers as well. A lot of them just don't really understand the products that well themselves. They don't do an effective job of indicating the need to the buyers."
A 2012 survey of more than 100 global Forbes 2000 corporations by Carnegie Mellon CyLab shows that many board members and executives incorrectly believe that other types of corporate liability insurance cover losses due to data breaches, says lab official Jody Westby.
"That's pretty stunning because most corporations, especially large global corporations, should understand that cyber-risks generally are not within property and general corporate liability policies," Westby says.
It's not just executives and board members who have yet to see a need for cyber-insurance. Corporate risk managers in many organizations, as well as a large number of the insurance brokers that corporations rely on to tailor coverage to meet specific exposures, don't fully appreciate what cyber-insurance offers.
Bradford estimates that 40 insurers offer cyberliability coverage. By comparison, about 5,000 companies provide property and casualty insurance in the United States.
Because the cyber-insurance industry continues to mature, its offerings aren't as consistent from provider to provider as they are with other types of insurance. "There are so many material differences between the coverages available that there is no real one-size-fits-all approach," says Richard Bortnick, an attorney at the law firm Cozen O'Connor.
What's covered by most cyberpolicies? Generally, they fall into two areas: first-party coverage, which covers direct expenses, and third-party coverage, which covers payments made to others.
Examples of first-party coverage include notification expenses to alert stakeholders of a breach and provide them, when necessary, with credit-monitoring services, which insurer Chubb estimates could cost up to $30 a customer. Other first-party expenses include repairing reputation harmed by a breach, including public relations costs; restoring systems and data; repaying funds stolen through fraud or extortion; and covering revenue losses associated with computer system disruptions.
Third-party coverage encompasses court-imposed damages, regulatory penalties and defense costs associated with lawsuits alleging the disclosure of customers' personally identifiable information or harm to business partners' systems.
An organization's decision on what type of policy to buy and what it should cover depends, in part, on the type of information that could be exposed.
"To the extent that an entity has a large number of personally identifiable information records, then there's a much bigger chance of exposure," says Kevin Kalinich, global network and cyber-risk practice leader for Aon Risk Solutions, an insurance brokerage. In general, businesses with such exposures include retailers, hospitality providers, healthcare providers, health insurers, financial institutions, payment processors and educational institutions, including colleges and universities.