What may not be covered
Below are examples of types of risks that are not covered or only partially covered by most Cyber Risk policies:
- The cost to implement security upgrades after an attack
- A comprehensive written security program that is typically paired with a regulatory fine or penalty
- Damage, corruption, or deletion of intellectual property
- Audits performed periodically that are most likely required for several years after a data breach
- Restoration of a business’ damaged reputation
For example, coverage under a Cyber Risk policy for the damage, corruption or deletion of intellectual property is typically limited to the cost of restoration or replacement, not taking into consideration its asset value to the company. In addition, most Cyber Risk Policies will not provide coverage for upgrading security after an attack has occurred.
The average cost of a data breach is $200 per record, according to the 2013 Ponemon Institute study. This average cost includes notification, defense, credit monitoring, services of a call center handling client complaints, as well as the cost of hiring a public relations firm. However, because most of these costs are not covered by insurance, this could cause a damaged reputation, including a falling stock price and loss of customers. Therefore, companies should address their potential exposures before a breach occurs by implementing risk management procedures to enhance best practices for network security.
Source: “Cyber insurance not always enough,” Joanne Wojcik; Business Insurance, April 16, 2012