While insurance is widely available to respond to most cyber risks, including data breaches, most cyber policies do not provide sufficient coverage to restore a business' damaged reputation or devalued intellectual property, or to pay for security upgrades after an attack.
Most cyber risk policies also don't cover the cost of a comprehensive written information security program that usually accompanies a fine or penalty, nor the periodic audits that the enforcing regulatory body likely will require for several years after a data breach.
But there are some effective risk management techniques that businesses can implement to reduce the chance that a data breach affecting those intangible and uninsurable assets will occur, experts say.
According to Traverse City, Mich.-based privacy and information management research firm Ponemon Institute L.L.C., the average cost of a data breach is $214 per record, including notification, credit monitoring, defense, forensics, call center services to handle inquiries from affected customers and the cost of engaging a crisis public relations firm.
However, “almost half of those costs are not transferrable to an insurance policy, and that's the reputational damage” that might cause a company's stock price to plummet or for it to lose customers, said Zach Scheublein, senior account executive at Frank Crystal & Co. Inc.
“Cyber liability policies were intended to focus on personally identifiable nonpublic information that would lead to an investigation,” said Emily Freeman, London-based executive director of the technology and global privacy practice at Lockton Cos. L.L.C. “But you can't get coverage for the loss of customers that will no longer do business with you because they've lost trust in you.”
Similarly, “there are other cyber problems that have to do with the theft of intellectual property—industrial espionage” that may not be covered, Ms. Freeman said. “It's not possible to buy coverage to cover the true asset value.”
For example, “the coverage available for the damage, corruption, deletion of intellectual property that's on your system is limited to more or less the cost to replace or restore that on the computer network, but not the asset value. But if a foreign government or business partner has your information, putting it back does not restore you to the place you were before,” Ms. Freeman said.
“If you're talking about trade secrets or proprietary information or sensitive intellectual property that gets released as a result of a data breach, the first-party loss may not be insurable in most cases,” agreed Tim Stapleton, New York-based assistant vp and professional liability product manager at Zurich North America Commercial.
Insurance coverage is not yet available for many of these indirect losses because “it's very difficult to quantify the "soft costs' of a data breach,” he explained.
In some cases, “fines and penalties will be covered to the extent they are allowed by law,” said John Mullen, head of the data security and privacy practice at the national insurance law firm of Nelson Levine de Luca & Horst L.L.C. in Blue Bell, Pa.
However, “if the Federal Trade Commission launches an investigation as a result of a breach...and they are found in violation and are committing unfair or deceptive trade practices, in the majority of these cases the FTC will mandate a comprehensive written security program. They may have to consult with a third party. That's an added cost that may not necessarily be covered by an insurance policy,” Mr. Stapleton said.
In addition, “the cost to upgrade security after the fact—most insurance policies will not provide coverage for that expense,” he said.
A large-scale cyber attack on critical infrastructure like utilities also is not insurable at this time, experts said.
“Some of these risks are so significant that pricing is challenging for the insurance industry,” said Howard Mills, chief adviser of Deloitte L.L.P.'s insurance industry group.
Because insurance is not readily available to transfer costs associated with these cyber risks, experts recommend that companies address potential vulnerabilities before a breach occurs by adopting internationally accepted best practices for network security.
In fact, “if you don't have an enterprise security program, insurers may say you're negligent” and deny coverage if a data breach occurs, said Jody Westby, CEO of cyber risk consultant Global Cyber Risk L.L.C. in Washington.