Reasons not to buy Cyberinsurance

While insurance companies can provide a one-stop shop for breach notification, crisis management and public relations after a security disaster, many organizations are not aware of the sublimits of coverage on their policies -- often regulatory issues or legal defense -- until they make a claim. The sublimits "ratchet down" the value of the quoted coverage. "Typically, when clients review that, they opt not to go ahead with the purchase," said Wheeler. Gartner generally sees cyberinsurance policies of $5 to $15 million (not including laddering) with annual premiums ranging from $10,000 to $35,000 per $1 million of coverage. "I haven't seen much beyond $100 million in total aggregate for very large situations," Wheeler said.

Organizations need to pay close attention to the information that they provide in their pre-insurance applications. "It becomes a central part of their policy," said Wheeler. "When a claim is actually made, if any of that information becomes suspect or is just not valid…the insurer will use it to not pay the claimant or, in the worst-case scenario, to void the coverage altogether."

Organizations should have their risk manager, security officer and legal counsel peruse any policies before purchasing cyberinsurance. "These policies are complex, and they have definitions of definitions, and you have to be really careful of exclusions," said Geisiger, who noted that some policies can be as low as $5,000 for limited coverage.

High premiums and worries about claims actually being paid are top concerns of the uninsured. Less than one third (31%) of respondents surveyed across multiple sectors had cybersecurity policies, according to Ponemon research. Of the organizations that did not have policies, 57% reported plans to buy cyberinsurance while 43% did not have such plans -- in part, because of high premiums and too many exclusions (see table).