News Stay informed about the latest enterprise technology news and product updates.

Cyber insurance supplements, not replaces, data breach security

Cyber insurance is increasingly popular, but experts say it doesn't negate the need for strong data breach security products and services.

Insurance providers are seeing more demand for privacy breach policies -- known as "cyber insurance" in the technology world – as a way to protect end-user companies from penalties following highly publicized data breaches and the financial tolls they have taken on the companies whose data are breached.

But channel companies should not take that as a knock against their products or services, according to Robert Scott, a partner with Dallas-based Scott and Scott, which advises businesses on legal and technical issues. Scott recommends that all his clients get privacy breach policies to supplement their existing security plans.

The purchase of a cyber insurance policy does not mean that a client is dissatisfied with the security products and services purchased from value-added resellers (VARs), systems integrators (SIs) and managed service providers (MSPs).

"Regardless of the strength of your system, you're going to have a high percentage of companies suffering data breaches,"

It's not the be-all and end-all strategy. It's one tool in the tool chest. It certainly is not a silver bullet.
Robert Scott
partnerScott and Scott
Scott said. Most breaches are caused by a physical breach, like an employee losing a laptop, not a stereotypical attack from outside.

There are two ways that VARs, SIs, MSPs and even direct-to-market vendors can avoid being held liable for breaches themselves.

First, they can try to include a disclaimer during contract negotiations with clients, so they're not liable even if the worst should happen.

But in cases where customers refuse to sign, channel companies that do assume risk have their own insurance option: It's called an "errors and omissions" or "professional liability" policy, and it prevents their clients from seeking damages against them in case of a data breach. Some clients won't even do business with channel companies or vendors that don't have such a policy.

"It's starting to show up in more and more contracts but is typically not required," said Steve Haase, CEO of INSUREtrust, an Atlanta-based cyber insurance brokerage.

The price of those policies depends on the size of the vendor or channel company and the level of coverage desired. But they typically run between $25,000 and $50,000 per million dollars of coverage for large policyholders, and between $15,000 and $20,000 for smaller ones, said Patrick Donnelly, co-managing director of professional risk solutions for Aon Financial Services Group.

Insurance providers are not seeing the same large increase in demand for those policies because they have existed for decades, and many clients require VARs, SIs and vendors to purchase those policies before entering into any contracts, according to Nick Economidis, vice president and product manager for AIG's National Union Fire Insurance.

For end-user businesses and organizations, purchasing cyber insurance is not so cut-and-dried. Although most policies cover the crisis management costs of a data breach -- public relations expenses, consumer notification and free credit monitoring, and legal defense and liability -- they will not pay for lost intellectual property.

"There's no fair way to value it," Economidis said.

They also don't cover the immeasurable cost of restoring the public's confidence in a company.

"Perhaps the biggest damage can be to reputation," Donnelly said. "Insurance companies won't be able to help with that issue."

Most privacy breach policies follow the same price scale as errors and omissions policies, Donnelly said. Clients can add on extra coverage, like for losses caused by rogue employees or breaches that occur via mobile devices, but each of those comes with a higher price tag, Haase said.

Still, Haase said cyber insurance for the most part is not cost-prohibitive. Some of his clients have purchased $10 million in

More cyber insurance resources
Cyber insurance 101: What it is, what to watch for

Where's the cybersecurity coverage these days?

Just in case: When all else fails, there's cyber insurance
coverage this year for what would have gotten them only $5 million in coverage last year, he said. And he expects premiums to stay on the decline as more providers and brokers enter the market.

Even if price is not a obstacle, there can be others -- like finding a company to underwrite a policy in the first place. Providers examine potential clients' policies and systems for data protection before deciding whether or not to insure them.

National Union Fire Insurance, for example, has 11 criteria that potential policyholders must meet to purchase insurance. The company looks at everything from virus protection and firewalls to access controls and incident response before making a determination, Economidis said.

Just about 20% of businesses and organizations have some sort of cyber insurance now, but Haase expects that to increase as prices go down and the breadth of coverage expands.

"Eventually this coverage will be a standard purchase by most businesses," he said.

Let us know what you think about this story; email: Colin Steele, features writer.

Dig Deeper on Regulatory compliance with cybersecurity laws and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.