A February 2011 paper by Khalid Kark of Forrester Research that addresses the fundamentals of cyber insurance indicates that many companies are still trying to understand the basics of these policies, which are offered by such carriers as ACE USA, Chubb, The Hartford and St. Paul Travelers Cos.
The most common questions revolve around what types of polices are out there, what they cover, how to select the right policy and whether such insurance is even needed.
"We're still seeing a knowledge gap," says Michael Overly, a Los Angeles-based partner with Foley & Lardner LLP and a member of the law firm's Information Technology & Outsourcing and Privacy, Security & Information Management Practices.
IT leaders are particularly susceptible to confusion, only because CIOs, CISOs and other IT executives have not traditionally made decisions about corporate insurance policies. Likewise, the risk management and legal teams that typically do make insurance decisions have not customarily sought out their IT counterparts when purchasing insurance.
Yet IT's input is crucial when it comes to deciding whether to buy cyber insurance and determining what coverage to buy, security experts say.
"The IT people and the risk people desperately need to get together to talk about risk in terms of information technology and the likelihood and outcomes of a breach occurring," says Don Fergus, an IT risk consultant and 2012 chairman of the IT Security Council for the security professionals' organization ASIS International.
"Information professionals, especially information security leaders, need to step up. They need to understand that they're in charge of more than just security. They need to understand and articulate the vulnerabilities that they face in terms of risk. That's the language of the board."
What's covered, what's not
Cyber insurance policies are relatively new -- only about a decade old -- and are still evolving. As a result, executives and managers often misunderstand what policies will and won't cover, Fergus says.
Some companies purchase standard insurance policies and think they're fully covered, not realizing that the policy might cover physical property but not intangibles. Under a property insurance policy, for example, the cost of a server smashed up by a disgruntled employee would be covered, but not the company's liability for failing to perform a service for a client as a result of the server downtime.
Liability insurance generally offers protection from lawsuits or claims, but Fergus quickly points out that general liability, errors and omissions, and directors and officers liability insurance policies will not cover claims arising from electronic data loss or the lack of access to that data.
"From a property crime perspective, it's pretty straightforward. You know what your replacement costs are. That's well understood," Fergus says. "But cyber liability insurance is really the sharp end here. It can be the most costly, and it is very misunderstood. There are lots and lots of differences in coverage across the various carriers."
Ken Goldstein, vice president of Chubb Group of Insurance Companies in Warren, N.J., explains that cyber insurance falls into two general buckets. The first bucket covers costs associated with third-party liabilities, that is, claims from other organizations, and the second covers first-party expenses and/or losses, that is, damage to your own organization.
Additionally, policies are available that cover costs associated with a breach, such as third-party notification and PR expenses.