Cyberinsurance: Everything You Need to Know About Why and How to Buy It

Recent news about hackers breaking into large companies’ systems and wreaking havoc has caused senior executives at companies of all sizes to consider adding cyberinsurance to their portfolio of protections.

In fact, if a CEO has not thoroughly considered cyberinsurance, one has to question whether his or her fiduciary duty has been met.

A recent article in The Wall Street Journal calculates the size of the threat that hackers pose to companies. As one cybersecurity expert states, hackers dwell in a company’s system for a median average of 209 days and most often the company executives don’t find out about it until an outside agency such as the FBI becomes involved.

“Existing business insurance policies usually do not cover cyberattacks.”

Costs associated with a data breach are high, and can easily exceed $100 million. A 2014 study of U.S. companies by the Ponemon Institute puts the cost of a data breach at $195 per record lost, (an average of $5.85 million per incident).

Common misperceptions about cyberinsurance include:

  • Our existing business insurance policies cover cyberattacks. Not true! Almost all companies have some sort of Commercial General Liability insurance and generally these policies will NOT cover your company.
  • Cyberinsurance policies are expensive. Not necessarily. With adequate IT infrastructure and legal and management assistance, most policies are affordable
  • The ‘standard’ cyberinsurance coverage will do. A cyberinsurance policy is tailored to each company, and the carriers offer to cover different types of risks.

So what does cyberinsurance cover?
Cyberinsurance policies can be broadly divided into two types of risks to be covered:

  • First-party risks. This is the risk of damage to your company and your company’s IT infrastructure. This includes loss or damage to electronic data, software and hardware. Coverage should include remediation costs (i.e., the cost to hire people to restore or rebuild your IT systems).
  • Third-party risks. These risks are extensive, and the policy should cover damages caused by the data breach to other individuals, including customers and other businesses. Third-party risk coverage should include the costs of defending claims from customers, contractors, shareholders and regulators, and may also cover any resulting penalties. In the first of what could be many lawsuits, Target recently settled with MasterCard for $19 million in damages to the credit card company.

How to get started
Once you’ve decided to purchase cyberinsurance:

  1. Contact a broker who has cyberinsurance experience and discuss potential insurance companies. These insurance carriers will conduct reviews of your company and recommend types and levels of coverage.
  2. Obtain experienced legal counsel who can work with company executives and the potential insurance companies to ensure the resulting cyberinsurance policy adequately covers a company’s risks.

There are additional hidden benefits of cyberinsurance. Management will gain a better understanding of the company’s risk profile. And the insurance company will likely provide suggestions on how to increase your company’s IT security and training. With the assistance of qualified counsel, most companies take the next step and develop a data breach response plan. Finally, if the worst should happen and your company becomes a victim of a hacker, your legal counsel and insurance company are ready to assist in executing your data breach response plan.


  • Get the CEO Briefing

    Sign up today to get weekly access to the latest issues affecting CEOs in every industry
  • upcoming events