While you might think your general liability insurance policy will cover you for costs related to a data breach, it’s worth taking a second look.


The Lucile Packard Children’s Hospital at Stanford University was recently fined $250,000 by the California Department of Public Health for delayed reporting of a data breach. Regulatory concerns like these, along with concerns about the more straightforward implications of any security breach, are leading more and more companies to consider purchasing cyber liability insurance.

One such company is the Dallas, Texas-based managed hosting services provider NeoSpire, Inc. – company president Mitch Gervis says he was surprised to learn that his general liability insurance policy didn’t cover a wide range of issues related to security breaches. “All sorts of things are not covered under your G&L – so we started to look into this very nascent field of cyber liability coverage,” he says.


Sean Bruton, NeoSpire’s director of security, says the company quickly learned that rates for cyber liability insurance are greatly affected by how secure your data is in the first place. “It’s like any liability insurance – insurance companies are doing a risk assessment of who they’re covering… essentially, their own security audits of you,” he says.

And those audits can be very broad in scope. “They’re asking what sort of security controls you have in place – everything from physical security to network security, intellectual property security – and when they don’t see a really mature, well-thought-out and proven security in place at the company, that of course is going to affect their rates,” Bruton says.

That can include everything from how you handle backups, Bruton says, to how you handle communications with customers, or how you screen employees. “They also go to industry experts when they look to create these security questionnaires, so you get some of the pretty advanced stuff, too, like you’d see in PCI and some of the more involved security assessments,” he says.

One key area that many companies miss, Bruton says, is the importance of reviewing logs and responding to security events as they happen. “Most companies, from what we’ve seen, don’t even consider their security logs at all,” he says. “They’re used solely as forensic sources after something’s happened, as opposed to another source of monitoring for intrusions and potential breaches.”

Once they understood the need for the coverage, Gervis says, the process of choosing a provider for cyber liability insurance was relatively straightforward. “We did it based upon quality – the rating of the insurance company – as well as cost… We had some people who put lowball bids in, but we weren’t that comfortable with their rating, so we went with a better-rated company,” he says. “It was a typical insurance decision.”

And NeoSpire is now working with its customers to help them seek similar solutions. “Generally, what our customers will do is they’ll just forward along the security questionnaires that they get straight from the insurance companies… and we supply all the supporting information, like our SAS 70 reports… and also some industry standard security assessments like PCI reports on compliance,” Bruton says. “And we’ll get back on the phone with their insurance companies if we need to, and make sure that they understand what components are outsourced to NeoSpire and how they’re being implemented for our customers.”

Gervis says assistance like that can be enormously useful for the insurance companies themselves. “It’s not like car accidents or things like that, where you have years of historical data and you can really get good at underwriting and knowing the risk of it… I think, being relatively new, it’ll take several years for things to get very standardized,” he says.

The bigger issue, Bruton says, is that most companies just don’t seem to be aware of the need for cyber liability coverage. “They’re absolutely aware of the need for security, but they’re not so much aware of the insurance side of it,” he says. “They think it’s covered by the G&L policy.”

At the same time, Bruton says it’s worth noting that some companies do need this kind of protection more than others. “These are liability policies, so they’re going to protect the organization against the risk of, primarily, being sued in the event that they had sensitive data that was compromised… and then if you’ve got healthcare data, payroll data, stuff like that, you’re going to have a lot of regulatory penalties, as well… So if you’re an organization that handles that sort of information in a fashion where it’s exposed to the risk of a breach, being on systems that are connected to the Internet, then it’s something you definitely want to consider,” he says.

And while many companies may think they’re already fully covered by their general liability policy, Bruton says it’s worth taking a second look. “Obviously, you want to make sure that your insurance will cover you… If you have a breach, it’ll be twice as bad if you can’t financially survive it,” he says.

Jeff Goldman is a veteran technology journalist and frequent contributor to eSecurityPlanet. Follow eSecurityPlanet on Twitter @eSecurityP.