Liability limits for Chartis'sCyberEdge are currently capped at US$10,000,000, subject to individual risk assessment. Pollard said that the average claim at Chartis in the US over the last four years was US$5.2 million.
"That [average represented] small to large businesses in different sectors," he said. "We paid for defense costs, claims for third party liabilities related to a fine penalty, notification costs or forensic expenses."
Are you already covered?
Many insurance companies in Hong Kong offer professional liability products, which may protect enterprises from some forms of data loss due to failure in computers or infrastructure, according to Stella Tse, Asia Leader for the Financial and Professional Risks Practice at insurance firm Marsh Hong Kong -- an insurance brokerage firm that has provided cyber insurance coverage since 2000.
"Many banks and financial institutions are protected from data losses due to computer failure through the professional liability and computer crime coverage," said Tse. "Although it may overlap existing insurance coverage, cyber insurance can sometimes provide additional coverage over-and-above the existing policies."
She added most existing insurance policies cover outages caused by property-based or physical damage, meaning that damages due to data loss remain a grey area.
Read the fine print
One major difference between cyber insurance and existing professional liability policies is business interruptions caused by security breaches. But enterprises must also be aware of the fine print in their policies.
For example, if business is interrupted at a securities trading house due to a network outage caused by a security breach, Tse said a claim could be made against the cyber insurance coverage for business lost from the interruption. But the policy may not cover business lost from account-cancellations caused by reputational damage from the security breach.
"If the firm had $1 million monthly revenue from its online trading platform, the claim would be based on the lost revenue in transactions and volume [directly] caused by the network outage," she said.
In addition to banks and financial sectors, Tse also suggested healthcare organizations consider cyber insurance. She posited a scenario where a clinic loses patient data in a security breach and one of those patients is a director of a listed company. Such information is sensitive data that may cause share prices to fluctuate.
"When business is lost due to the leakage of such data, should the clinic be liable?" she said. "There are still a lot of uncertainties, therefore I suggest organizations consider having a [cyber insurance] policy," she said.
The role of IT
IT's input is crucial when it comes to deciding whether to buy cyber insurance and determining what coverage to buy, security experts say.
"Information professionals, especially information security leaders, need to step up. They need to understand that they're in charge of more than just security. They need to understand and articulate the vulnerabilities that they face in terms of risk. That's the language of the board," said Don Fergus, a US-based IT risk consultant.
Sign up for CIO Asia eNewsletters.