Not all companies -- or all IT departments -- are comfortable with this level of self-scrutiny, ASIS International's Fergus points out.
"There is a head-in-the-sand kind of view, 'I'm happy not knowing what I don't know,' " he says. "IT people and business people in general don't like to be criticized in terms of their ability to perform their duties. They may know they're vulnerable, but they don't want to write it down."
Even companies that have done their due diligence in terms of assessing cyber risk can be in for a jolt, Fergus says. "They go out to the [insurance] carriers, and they get sticker shock."
That's because cyber liability insurance can cost $7,000 to $40,000 per million dollars of loss. And with losses possibly totaling in the tens -- or even hundreds -- of millions, getting a policy able to cover such costs can present a staggering additional cost in insurance premiums.
"Insurance companies want to make money, and the only way they can do that is betting that your premium will exceed the cost of mitigating your claim. [They] are well aware of the costs of mistakes and missing security pieces," says Hord Tipton, executive director at the International Information Systems Security Certification Consortium Inc., or (ISC)2, a nonprofit organization that educates and certifies information security professionals.
Deciding how much coverage to buy can be tricky -- too little, and you don't cover your exposure. Too much, and you face the prospect of sky-high premiums.
Towers Watson's Risk and Finance Manager survey found that 61 percent of the responding companies that were carrying network liability policies bought $10 million to $49.9 million limits, with only 8 percent purchasing policies with $50 million or more in limits.
The survey found various reasons for how companies arrived at their particular limits, but 36 percent said the limit was proposed by their broker and 15 percent said they reviewed the level of exposure with a third-party cyber risk management firm.
Plan B: Just say no
Some companies take a look at the cost of coverage and balk. Overly says, "One of the fundamental deciding factors [for not getting it] is that it's expensive."
Another concern: A few high-profile cases in which the insurer and the organization filing a claim, including Sony and the University of Utah, wound up in court.
Tipton, whose organization decided not to buy cyber insurance, worries that firms that do purchase cyber insurance can become lax. "A company should not let complacency set in just because they are insured," he warns. "Negligence is not insurable, nor is your reputation or stock price if due diligence is not practiced."
More important, Tipton maintains, insurance couldn't help his firm recover the greatest, most valuable loss it would suffer should a breach occur: its reputation.
"The reputational damage would be huge, and insurance couldn't fix that, so we spend our effort and time securing [our systems]," he says -- while acknowledging that, without insurance, the company would be on the hook if a significant breach were to happen. "There is no such thing as being 100 percent risk free. Our job is to evaluate and manage our risks -- not to try and eliminate all risks."
Not surprisingly, Chubb's Goldstein counters that position, saying that organizations might find that they can survive the hit to their reputation -- not all breaches are made public, after all -- only to realize that the costs of repairing other damage will do them in.
"You'd hate to assume you'd be out of business because of reputational damage, only to find what sunk you wasn't the reputation but the cost of the liability," he says.