Willis calls 2011 the “Year of the Breach” and says that whilecompanies are rightfully concerned about their Cyber exposures,they need to carefully examine their insurance coverage andrisk-management strategies to ensure they are adequatelyprotected.

“The major assets of any Fortune 500 company, whetherheld in credit-card data or the proprietary recipe for a soda, areintellectual, and attacking the operating system containing thisinformation could bring a company to its knees,” says Ann Longmore,executive vice president of FINEX, Willis' financial,executive-risk and professional-liability business.

She adds, “The boardroom is full of intelligent people, buthackers are endlessly innovative, making this a constantly evolvingduel between good and evil over assets and knowledge.”

The average size of a data breachin the U.S. last year was $5.5 million, according to the IdentityTheft Resource Center (ITRC), and 105 breaches have exposed nearly4.5 million records in just the first quarter of 2012.

Companies are finding that insurers aren't paying willingly forcyber attacks. For example, in August 2011 Sony was sued by ZurichAmerica, its Commercial General Liability insurer, with the carrierclaiming its General Liability policy did not extend to databreaches.

Willis says the term “physical damages” in Commercial GeneralLiability policies doesn't always apply to electronic data, whichis why it is important for companies to set policies and budgetsoffsetting the potential financial loss of a cyber breach. It couldalso benefit insurance managers to pick up endorsements for DataBreach, Cyber Extortion and Digital Asset losses.

And because company directors and officers are often sued inderivative suits for failure to disclose and manage customerexposure, both public and private companies should ensure thattheir D&O liability is flexible to Cyber claims.

The SEC's Division of Corporate Finance has issued an advisorythat recommends disclosure steps related to cyber-securityrisks—but the SEC maintains that compliance is beneficial, notmandatory.

“Companies should disclose the risk of cyber incidents if theseissues are among the most significant factors that make aninvestment in the company speculative or risky,” Willis states inits third-annual guide on executive boardroom risks, released thismonth.

Appropriate disclosures should discuss aspects of business andoperations—including outsourcing—that expose the company to cyberrisks as well as the steps taken to mitigate them. Such adisclosure should also include a timeline of short- and long-termcosts, the consequences of breaches, and descriptions of relevantinsurance coverage, Willis adds.

CYBER SELLS, BUT WHO'S BUYING?

According to a recent Chubb survey of public companies, morethan 70 percent say they have an incident-response plan for anelectronic-security breach.

That would appear to be good news.

But the bad news is nearly 60 percent of the companies surveyedsay Cyber Liability insurance is not a part of theirincident-response plan.

Other survey results indicate there isa definite concern about data breaches, but it doesn'tnecessarily lead to an insurance purchase to appropriately coverthe risk.

The results are presented as part of an infographic presented byChubb, further revealing results of its “2012 Public Company RiskSurvey.”

In the same survey Chubb discovered there is a “general lack of concern” among surveyed public companies thattheir directors and officers will face a lawsuit.

The survey of decision-makers at 145 public companies in theU.S. and Canada was conducted by Pollara, an independentpublic-opinion and market-research firm.

On Chubb's blog, Ken Goldstein, vice president at ChubbSpecialty Insurance, writes that he has spoken to small and midsizebusinesses about Cyber risk and “discovered there's somemisunderstanding about their risk and how their current insuranceprogram will respond to this type of loss.”

Goldstein says they think other policies provide coverage—whichmay be partly true. Some coverage could be available under otherpolicies, but “there are frequently significant gaps in coveragethat could leave a [small or midsize business] at risk of financialand reputational damage.”