The report, which was compiled by insurance analytics company Advisen Ltd. and data breach response firm ID Experts based on survey responses from 203 risk-management professionals, concluded that cyberinsurance is largely designed to protect against "low-frequency but high-severity" cyberattacks affecting many thousands of electronic records.
However, the report also determined that the costs associated with the majority of data breaches that hit the responding risk managers' companies fell below the deductibles in the companies' cyber policies. For large corporations, data breach response costs under the applicable deductible may not be much of a concern, but for smaller companies, those costs may be more significant, experts say.
"The report also highlights the need for companies to negotiate favorable retroactive dates in their cyber policies so they will be covered in the event they were hit by an undetected data breach before obtaining the policy," Anderson Kill PC shareholder Joshua Gold said.
"From an insurance coverage standpoint, the report alludes to the fact that some policyholders are breached before they even know it," Gold said. "For cyberinsurance buyers, this highlights the need to get a favorable retro date for the policy — one earlier than the policy inception date.”