Companies are finding that insurers aren't paying willingly for cyber attacks. For example, in August 2011 Sony was sued by Zurich America, its Commercial General Liability insurer, with the carrier claiming its General Liability policy did not extend to data breaches.

Willis says the term “physical damages” in Commercial General Liability policies doesn't always apply to electronic data, which is why it is important for companies to set policies and budgets offsetting the potential financial loss of a cyber breach. It could also benefit insurance managers to pick up endorsements for Data Breach, Cyber Extortion and Digital Asset losses.

And because company directors and officers are often sued in derivative suits for failure to disclose and manage customer exposure, both public and private companies should ensure that their D&O liability is flexible to Cyber claims.

The SEC's Division of Corporate Finance has issued an advisory that recommends disclosure steps related to cyber-security risks—but the SEC maintains that compliance is beneficial, not mandatory.

“Companies should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky,” Willis states in its third-annual guide on executive boardroom risks, released this month.

Appropriate disclosures should discuss aspects of business and operations—including outsourcing—that expose the company to cyber risks as well as the steps taken to mitigate them. Such a disclosure should also include a timeline of short- and long-term costs, the consequences of breaches, and descriptions of relevant insurance coverage, Willis adds.

CYBER SELLS, BUT WHO'S BUYING?

According to a recent Chubb survey of public companies, more than 70 percent say they have an incident-response plan for an electronic-security breach.

That would appear to be good news.

But the bad news is nearly 60 percent of the companies surveyed say Cyber Liability insurance is not a part of their incident-response plan.

Other survey results indicate there is a definite concern about data breaches, but it doesn't necessarily lead to an insurance purchase to appropriately cover the risk.

The results are presented as part of an infographic presented by Chubb, further revealing results of its “2012 Public Company Risk Survey.”

In the same survey Chubb discovered there is a “general lack of concern” among surveyed public companies that their directors and officers will face a lawsuit.

The survey of decision-makers at 145 public companies in the U.S. and Canada was conducted by Pollara, an independent public-opinion and market-research firm.

On Chubb's blog, Ken Goldstein, vice president at Chubb Specialty Insurance, writes that he has spoken to small and midsize businesses about Cyber risk and “discovered there's some misunderstanding about their risk and how their current insurance program will respond to this type of loss.”

Goldstein says they think other policies provide coverage—which may be partly true. Some coverage could be available under other policies, but “there are frequently significant gaps in coverage that could leave a [small or midsize business] at risk of financial and reputational damage.”