Hardly a week goes by that the national media does not report on another Internet data security breach, denial-of-service attack or other cyber loss affecting Fortune 500 clients and their thousands (or hundreds of thousands) of customers. The costs of simply investigating and responding to these losses -- not to mention the resulting lawsuits and regulatory fines -- can be staggering. For instance, the Ponemon Institute estimates that response costs can be as high as $200 per compromised record. It is not difficult to understand how total costs for a wide breach can quickly escalate well into the millions of dollars.
Enter the insurance industry. Historically, in the face of a third-party claim, one would turn to general liability or other policies. Yet coverage under general liability policies is typically limited to "property damage," which may include physical damage to servers, for example, but probably not loss of the data itself. And while crime, fidelity or errors and omissions policies may provide some coverage, again they would typically exclude the lion's share of the expense of a cyber loss. The response has been a line of policies -- known as cyber liability (or data/privacy liability) policies -- specifically tailored to cyber risks.
It is certainly true that large data breaches or denial-of-service attacks at large corporations -- as well as losses of laptops and other mobile devices -- get the most media coverage. But smaller companies can and do face such losses and thus can benefit from mitigating their risk through cyber liability insurance. And in some ways, cyber liability insurance is even more appropriate for smaller businesses. Large companies typically have the foresight and ability to manage cyber risk up front and the sophistication to deal with losses when they arise. For smaller businesses, this is not always so, but the playing field can be leveled to some degree through insurance.