The cost of data breaches is on the rise, and insurance companies have responded by making more network liability protection available. The cost of this insurance can seem prohibitive, however, and companies aren't exactly jumping at the offers, reports Computerworld's Mary K. Pratt in a comprehensive look at cyber insurance.

Out of 164 risk managers recently surveyed by Towers Watson, 73 percent reported that they have not bought network liability insurance. Some in that subset said they believed their IT controls to be sufficient, and others cited low concern about the risk or policies that were too expensive.

There appears to be a lot of confusion in the marketplace over cyber insurance, Pratt reports. Often people wrongly believe that general liability insurance covers cyber-related losses. Several large insurance companies, including Chubb and The Hartford, have offered cyber policies, but potential customers are often unsure about how to get the right coverage.

One difficulty is that IT executives, who are the most knowledgeable about network risks, generally are not the ones who make decisions about corporate insurance. At the same time, risk managers and lawyers, who know their way around insurance, tend not to loop in the IT leaders when making purchasing decisions.

"The IT people and the risk people desperately need to get together to talk about risk in terms of information technology and the likelihood and outcomes of a breach occurring," says Don Fergus, an IT risk consultant and 2012 chairman of the IT Security Council for the security professionals' organization ASIS International. "Information professionals, especially information security leaders, need to step up. They need to understand that they're in charge of more than just security. They need to understand and articulate the vulnerabilities that they face in terms of risk. That's the language of the board."

Cyber insurance is still in flux and insurers vary considerably in the coverage they offer, making it difficult to know what is and isn't covered, experts say. At Chubb, there are two general categories of cyber insurance, according to Ken Goldstein, vice president of Chubb Group of Insurance Companies. One category includes costs related to third-party liabilities, and the other involves damage to the insured party's company.

In some cases it could be less expensive for an organization to recreate lost data than to have purchased insurance to cover the loss, says Eric J. Sinrod, a San Francisco-based partner at national law firm Duane Morris LLP. Input from IT is necessary to make these kinds of determinations, he says.

For more:
- see Mary K. Pratt's article at Computerworld

Related Articles:
What cyber insurance does and doesn't cover
More companies learn of breaches from law enforcement