Cyber-insurance policies cover business liability for a data breach in which customer information (such as social security or credit data) is exposed or stolen by a hacker. Such policies may also cover data breaches due to employee error or malfeasance.

Depending on the policy, this insurance can cover a range of expenses associated with data breaches, including notification costs, credit monitoring, costs to defend legal claims, fines and penalties, and other applicable losses.

If your company is considering a cyber-insurance policy, review it carefully so you understand what it covers, what it excludes, and the amount you would be required to pay out-of-pocket before reimbursement kicks in. Consult an attorney to ensure you understand the provisions.

Items to review include:

• Any actions you would be obligated to take in the event of a data breach, e.g., using pre-approved response firms such as notification services, investigators, or crisis PR.
• Caps on forensic investigation costs relative to overall policy limits.
• The amount your organization must pay before reimbursement.
• Policy terms that allow your insurance provider to control vendor selection and response activities while you bear the brunt of the cost. These are cause for concern.

Above all, understand that data security regulations continue to evolve. Be sure to evaluate your policy and organizational operations annually to ensure your risk and risk management practices are in alignment.