Of course, companies can purchase policies to address both first and third parties, so they're covered for a range of scenarios -- from the cost of notifying customers whose data was breached, to the cost of hiring a forensic IT team, even to paying extortion/ransom demands, Goldstein says. (See an example of Chubb's range of offerings here.)
IT pros as insurance experts?
Given that cyber insurance policies aren't one-size-fits-all and aren't as straightforward as other types of corporate insurance, companies need to determine exactly what coverage they need and whether it makes sense to pay the premiums associated with that coverage, says Eric J. Sinrod, a San Francisco-based partner at national law firm Duane Morris LLP.
That's where IT comes in. An organization's risk management and legal folks understand the language of insurance riders and exclusions, but no one is better equipped to understand and articulate an organization's information security system than the people who run it.
"The CIO is on the front lines in dealing with information systems and should know about actual and potential problems," says Sinrod, who hosts his firm's TechLaw10 audio podcast updates on technology law issues.
IT managers can also assist with facilitating an accurate cost-benefit analysis. "It might cost the company less to recreate the data than it would be to pay for the insurance premium," he warns.
The risk evaluation process requires more than merely articulating what security measures are in place, explains Mark Lobel, a principal and a security benchmarking expert at PricewaterhouseCoopers.
Companies first must ensure they follow the best information security practices for their industries, he says. Insurance companies will want to know what security exists at a company before they write any policy, and they might even require a third-party audit to verify what's in place.
Then IT leaders should determine potential threats, their likelihood of occurring, and how such threats would impact the organization should they happen.
"You protect as much as reasonable, and insure against your residual risk. You can't insure [correctly] if you don't understand the risks," Lobel explains. "So you have to have a risk-based approach. You have to be able to say, 'Here's what I think can still go wrong because I'm not willing to spend $100 million for security.'"
Lobel suggests companies consider hiring a third party to perform a risk assessment to help fully identify and understand their security risks and identify areas for improvement. In fact, he says many insurance companies require such independent assessments to help determine premiums.
Just what insight can IT contribute to the decision-making process? Foley & Lardner's Overly offers two examples. The IT lead at a furniture manufacturer, for instance, should be able to articulate the case that his company doesn't store customer data electronically and therefore isn't likely to be a target of a hacker looking for credit card numbers but still has critical systems that, if compromised, could shut down not only his own company's operations but perhaps work at the company's partner organizations -- a chain of events that could open his company up to loss-of-revenue liability.
On the other hand, Overly says, that hacker looking for customer data is of great concern to the CIO at a retail operation; if a breach occurred, the company could be required to spend millions on customer notifications, public relations and legal fees.
"A risk management person can't make these decisions without talking to the CIO -- that's the person who will give input on how much insurance coverage the company needs and what [threats] it really needs to worry about," Overly says.