"The reputational damage would be huge, and insurance couldn't fix that, so we spend our effort and time securing [our systems]," he says -- while acknowledging that, without insurance, the company would be on the hook if a significant breach were to happen. "There is no such thing as being 100 percent risk free. Our job is to evaluate and manage our risks -- not to try and eliminate all risks."
Not surprisingly, Chubb's Goldstein counters that position, saying that organizations might find that they can survive the hit to their reputation -- not all breaches are made public, after all -- only to realize that the costs of repairing other damage will do them in.
"You'd hate to assume you'd be out of business because of reputational damage, only to find what sunk you wasn't the reputation but the cost of the liability," he says.
Extending the reach of cyber insurance
Corporate data now lives well outside the boundaries of a company's own building walls. It's on smartphones, laptops and even employees' own home-based desktops. It's in the cloud and on servers owned by business partners.
As a result, cyber insurance generally follows the data within a company, whether it resides on a hard drive or a server or a laptop or a smartphone, says Ken Goldstein, vice president of Chubb Group of Insurance Companies. "It's the natural extension of the coverage," he says.
Some insurance companies recently introduced specific policies called "excess contractual technology coverage" that can be purchased to cover problems stemming from data that resides with vendors, such as in the cloud.
Michael Overly, a partner at the law firm Foley & Lardner LLP, says IT leaders should both verify the extent of coverage with their own cyber insurance carrier and ask questions about what coverage their vendors carry before signing any contracts.
"Sophisticated companies now understand this issue and understand the risk involved and will be asking specifically for some sort of coverage from their cloud providers," Overly says. "That said, a lot of companies aren't yet quite sensitive to this issue. They don't know yet to even ask for this type of coverage."
Pratt is a Computerworld contributing writer in Waltham, Mass. Contact her at email@example.com.
This story, "Cyber insurance offers IT peace of mind -- or maybe not" was originally published by Computerworld.