• October 12, 2016

Cyber Insurance: One Size Doesn’t Fit All

Shop carefully to find the right cyber insurance policy.

In June 2014, hackers posted about 60,000 stolen credit card numbers belonging to P.F. Chang’s customers on the internet, CSO Online reported. Fortunately, the restaurant chain had purchased cyber insurance as part of its security strategy. But the company may have been surprised by what its policy didn’t cover.

The company recovered $1.7 million from its insurer for expenses related to the breach and for defense of a class action lawsuit. However, almost $2 million for a fraud recovery assessment was ruled not to be covered by the policy.

This case illustrates the benefits and drawbacks of cyber insurance. Coverage against the consequences of data breaches can be an effective tool in an enterprise security plan, but enterprises must shop carefully to find the policy that suits their particular risks and provides the best value.

Cyber Insurance Policy Standards

The relatively new cyber insurance market has yet to solidify policy standards. There is limited historical data on the financial consequences of cybercrime, making it difficult for insurers to estimate probabilities and costs of losses, says David Burg, global and U.S. cybersecurity leader at PricewaterhouseCoopers, in a CIO Dive article. This makes it challenging for insurers to devise policies that are profitable while thoroughly protecting customers. Nevertheless, cyber insurance is a hot growth market. In 2015, more than 500 companies provided cyber insurance in the United States.

Specific coverage and premiums vary significantly. “As a result, companies are often uncertain about what is and is not covered by their policies and are often insuring the wrong things at a time when claims can be rejected for inadequate cybersecurity testing procedures and audits, outdated patches, inadequate cyber incident response plan and inadequate backup and recovery processes,” according to the CSO Online article.

Protection at Any Cost? Maybe Not

Insurance will not cover all costs stemming from a breach. After breaches at Target and Home Depot, for example, both companies recovered less than half of their total costs from insurance. Things like theft of intellectual property and damage to enterprise reputation are considered too difficult to measure in monetary terms and are not covered by any insurer. Other costs, including restoration of lost data, acts and omissions by third parties (such as cloud providers), and claims against inadvertent transmission of malware, may be covered by some insurers, but not others.

Cyber insurance is worth a serious look, but you’ve got to sweat the details. Your information security team and legal advisers should provide input during this process. And, as the cyber insurance market evolves, periodic scrutiny of your policy and alternatives is a must.

Like this story? Learn more about the business of hacking and security services that will keep you a step ahead.