The topic of cybersecurity insurance seems to be on the radar of most organizations I speak with. There are a lot of questions around how much coverage is needed and what exclusions one should be on the lookout for when purchasing a policy. I usually try to use this as an opportunity to talk about what a cyber insurance policy is not, and I’ll get to that later.

There’s a popular saying in the cybersecurity space, “There’s two types of organizations, those that have been breached and those that don’t know they’ve been breached.” In working with organizations that know they’ve been breached, I’ve noticed a very alarming fact. It’s not their first breach! This left me wondering why and how? How can an organization suffer from one breach and have a second or third similar breach? What did they not learn from the initial breach that would leave them vulnerable to similar subsequent breaches? One of the common themes we see is that they “handled” the first breach themselves or they hired a security consultant with little to no experience in incident response that focused on recovery and not fully understanding how the attack was carried out. This is a very scary reality that we are seeing more and more daily.