Cyber Insurance and Compliance

Cyber Insurance and Scope of Data


Cyber insurance is all about probability. How likely is it that your business will suffer a cyberattack? And what would the costs of such an attack likely be?

But how do cyber insurance underwriters think about your ‘risk level’ as an organization?

The same way hackers do — in terms of data! Data is the name of the game. Your company’s sweet, sweet data is what cybercriminals crave, because data is what makes them money.

This brings us to our topic for part 4 of The SMB Owner’s Super Simple Guide to Cyber Insurance: scope of data. If you’re applying for a cyber insurance policy, you’ll want to make sure you have a clear idea of what your organization’s scope of data is.

So, let’s discuss what ‘scope of data’ means, and why it’s important.

How Much Data?

Scope of data refers first and foremost to the amount of data at your business. All things being equal, the more data you stand to lose in a cyberattack, the more costly such an attack would be. Target lost a lot of money when they were breached in 2013 ($202 million), and that’s largely because of the sheer amount of data that the threat actors stole — credit card and debit card information from over 40 million customers!

Bottom line: Before applying for cyber insurance, figure out how much data is at your organization, because you’re going to have a tough time convincing a cyber insurance carrier that you keep a close eye on your data if you don’t even know how much of it there is.

What Kind of Data?

As far as a cyber insurance provider is concerned, the kind of data at your business matters just as much as the amount. Why’s that? Because some types of data are more valuable than others. When evaluating your ‘cybersecurity posture’ (how good your cybersecurity is overall), a cyber insurance company will want to see that you concentrate your security efforts on protecting your most valuable digital assets.

Let’s go over some particularly valuable types of data, so you know where to prioritize your cybersecurity efforts.

Personally Identifiable Information (PII)

This is a big one. In 2021, customer PII was exposed in 80% of data breaches, and customer PII was also the costliest type of data to lose, setting businesses back $180 per record on average (Verizon & Ponemon Institute). Moreover, major compliance regulations, including HIPAA and PCI-DSS, include guidelines and standards for how businesses ought to handle their customers’ PII.

What counts as PII? Any information that can be used, either by itself or in conjunction with other information, to identify a particular individual. Here’s a list of common types of PII that hackers like to steal:

  • Credit card and debit card numbers
  • Social security numbers
  • Driver’s license numbers
  • Medical records
  • Full names
  • Email addresses

Bottom line: Use robust cybersecurity tools and practices like encryption and multi-factor authentication (MFA) to protect the PII at your company like your business depends on it — because it does! And, if you want to purchase a cyber insurance policy, expect carriers to ask you questions about how you handle PII. The more details you can give them to put their minds at ease, the better.


Though technically a type of PII, passwords deserve their own discussion. Poor password management practices are rampant, a large reason why cybercrime is too. The Ponemon Institute surveyed IT professionals in 2020 and a shocking 42% reported that their organizations still use sticky notes to keep track of passwords.

Bottom line: Passwords are valuable data, and if you aren’t using password management software to store passwords in a secure manner, you’re going to make cyber insurance carriers very nervous — and with good reason!

Intellectual Property

One way to determine the value of data is by asking: “How much does my company rely on this data to operate efficiently and profitably?”

If the data in question is intellectual property — your organization’s trade secret, for instance — the answer to that question can be “a lot”!

Bottom line: When implementing security solutions at your organization, don’t forget about intellectual property. It needs to be protected too, and cyber insurance companies will want to see evidence that you’re taking appropriate measures to keep your intellectual property from falling into the wrong hands.

Where is Your Data?

Finally, there’s the question of where your data lives. Your scope of data is as much about the where as it is the what and the how much. Is your data in cloud repositories such as Dropbox and OneDrive? Or is it all local? If you’re shopping for cyber insurance, prepare to demonstrate to carriers that your organization’s data is kept in secure places.

And remember, that doesn’t necessarily mean on-premises. Despite widespread fears about the safety of using the cloud, a secure cloud datacenter can be a much safer option than an onsite storage solution.