Hello David,Cyber insurance is a good idea. You will need to make sure that the policy will cover the company regardless of the cause. According to an HBR Article "The role that insiders play in the vulnerability of all sizes of corporations is massive and growing."Here is an excerpt from an article published by Linford & Company LLP"When one thinks of an insider threat, they usually picture an angry ex-employee or a spy out to do harm, but there are multiple different types of insider threats. They can range from the careless employees to that previously mentioned spy. An insider threat is a threat to an organization from employees, former employees, contractors, or business associates. These users have inside information of the organization's security practices, data, and computer systems. Insiders can be either be malicious or unknowing in their motivations.
Unfortunately, the insurance is not a means to an end. Companies must evaluate the risk and understand its impact, then take steps to mitigate as much of the risk as possible. Here is another article you may find useful - How to Perform a Cyber Security Risk Assessment and Understand the Data Obtained From ItRegards,Varoujan AdamianPrincipal ConsultantNoravandBurbank, CA(818) firstname.lastname@example.org
David,Have seen good responses from all who have weighed in so far. Though your question is specific to Cyber Insurance, I'd like to note and recommend something that has not yet been brought into the discussion. While a Cyber insurance policy is highly recommended in today's world of the "Internet of Things", the exposure creates a critical need for an organization to bring your IT person/dept into the mix and develop solid risk management practices and protocols specific to your cyber exposure. Be cognizant that sometimes the IT person/dept takes a defensive posture and may feel you are a threat to them, but discuss the fact that you need them as an asset to your risk management team to protect against things for which you are not equipped to deal with on your own. Part of the process may involve periodic "tests" of employee responses to sample bogus e-mails or an outside consultant analyzing and testing your IT dept defenses.Point here is that there is no replacing diligent risk management planning and continual review of such and modification as dictated by the current and projected risk factors.And lastly back to the cyber insurance itself. There are numerous forms with no real standard. Seek to work with a broker that has experience to help you craft coverage that best fits your firms exposures.