How Companies Should Approach Cyberinsurance


By Adam Janofsky, WSJ Pro Cybersecurity

Cybersecurity risk coverage is one of the fastest-growing types of insurance in the U.S., but many companies still don’t think they need it or aren’t sure if their current policy covers relevant cyber risks.

A recent survey of 350 security executives found that 50% of U.S. companies don’t carry cybersecurity insurance, and 27% have no plans to buy it. The study, which was conducted by data analytics firms Fair Isaac Corporation, or FICO, and Informa PLC’s Ovum unit, also revealed that only 16% of firms carried cybersecurity insurance that covers all likely risks.

Anthony Dagostino, global head of cyberrisk at Willis Towers Watson PLC, a risk advisory firm, said that financial institutions, retailers, and health care organizations are the biggest buyers of cybersecurity insurance, but one of the largest discrepancies is between large and small firms.

About 80% of large companies have standalone cyberinsurance, but “only 20% of small companies are buying it,” said Mr. Dagostino, adding that many times it is an awareness issue.

“Smaller firms tend to not think of themselves as a target,” said Dan Burke, cyberproduct head at Hiscox Inc., a specialist insurer. “The headlines focus on the biggest attacks–what you don’t hear about is the huge number of attacks at smaller firms day in and day out.”

In addition to lack of awareness, many small and midsize firms don’t carry cyberinsurance because they aren’t asking the right questions, or they have misconceptions about what their current policies cover.

For example, many small firms rely on general liability insurance or a businessowners policy, which can protect a company from injury of property damage. But most of these policies don’t cover cyberrisks such as the cost associated with a hack or the theft of customer information and trade secrets.

“I often see companies fighting with their insurance carriers over a cyberclaim,” said Mr. Burke, who often recommends standalone cybersecurity policies because they “provide coverage that customers actually want.” Most of these fights over cyberclaims are due to “the very common misconception” that general liability insurance or other common policies can protect against cyberrisks, Mr. Burke said.

Questions to Ask

It’s fairly straightforward for a business to decide whether or not cybersecurity insurance is worthwhile, said Mr. Burke: Simply ask if your business would be disrupted by a cyberincident such as a network failure.

A more difficult question is how much insurance a business needs.

“In the past it was about how many records do I hold, how many credit card transactions do I make,” said Mr. Dagostino. “Now it’s a much different discussion–it’s about what are your critical assets and how reliant is your company on technology.”

For example, retailers with large online presences or contractors who hold confidential corporate information might want very robust coverage. Additionally, companies operating in industries that are more susceptible to attacks–such as small financial institutions or enterprises dealing with foreign governments–would probably want more coverage.

Mr. Burke added that one of the most important things to look at is the company’s revenue. “Larger firms have more to lose, so they tend to buy higher limits,” he said.

But even if a company has a strong cyberinsurance policy, it’s still crucial to invest in security and training. “It needs to be a three-pronged approach–cyberinsurance is very important but it’s only one piece of the puzzle,” said Mr. Dagostino, who also noted that companies with strong security measures in place can often save on their premiums.

(Adam Janofsky writes about cybersecurity for WSJ Pro, with a speciality in small business. He previously worked at Inc. magazine, Bloomberg News, and managed the WSJ’s startup blog. Write to Adam at For more information on the WSJ Pro Cybersecurity newsletter please visit