Steptoe & Johnson, a large law firm headquartered in Washington, DC, publishes a newsletter called the Cybersecurity Advisor. A good source of alerts.
A recent one tells the story of a company that had a data breach potentially involving 2.4 million customers. There were a lot of law suits and investigations.
The company’s insurer refused to cover the costs of defense, saying the general liability policy doesn’t cover this breach.
So, you have a potential hazard (data breach) with a huge potential impact (2.4 million customers suing you, plus government, plus reputation and brand damage) = large risk. While you put controls in place to prevent the hazard, one of the mitigations you have in place if the hazard occurs is insurance. Or so you thought.
Should the directors have thought about this? The (former) managers?