Cyber policies a good deal, but choose carefully
Insurance policies that specifically cover the costs associated with a data breach are a good buy right now, but they are not all the same. Some provide excellent coverage while others are so general that you cannot be sure of what the insurer would pay for, says Roberta D. Anderson, JD, a partner with the law firm of K&L Gates in Pittsburgh.
"The cyber policies can be extremely valuable, but they really vary so you want your broker and outside counsel to guide you in selecting the right policy," Anderson says. "Some are almost useless, and some are tremendously valuable, and there may be no difference in premium between the two."
A good cyber insurance policy will pay for your defense and indemnity for lawsuits arising from the breach, Anderson says, but it also will cover you on a first-dollar basis (or close to it) so there is no deductible for notification, legal advice on how to notify, credit monitoring, forensics to figure out what happened, and public relations work. A cyber policy currently costs about $15,000 per million of limits, a low cost because insurers are just now trying to promote the policies, she notes.
Insurers will be less likely to balk about paying for data breaches under a cyber policy, at least for now, she says.
"Right now insurers don’t want to be the first to deny coverage under a cyber policy, so they will be more lenient in interpreting the contract language," Anderson says. "But five years from now when most providers have coverage, they won’t be so timid about saying no if they can find a way. Some of the policies now do not reasonably respond to how hospitals handle data through vendors, cloud providers, and other outside sources."