What do the U.S. Office of Personnel Management, Target, Anthem, Sony, P.F. Chang's and the State Department have in common? It's an easy question, if you have been paying attention. In recent months, each has been the subject of a cybersecurity attack or data breach.

We first covered the topic of cyber-risk insurance in a column published here two years ago.¹ At the time, we wrote that news stories reporting the latest theft of credit card data, Social Security numbers and ATM codes had become more prevalent. Since then, however, the rate of data breaches and related disclosures has only increased and the organizations identified above, unfortunately, represent merely a few high-profile examples culled from an ever-growing list. In fact, if recent news reports are correct, we may soon be adding the Houston Astros to the list.

Cyber-risk concerns initially appeared to be primarily confined to retailers, banks, credit card companies and other businesses that maintain large volumes of personally identifiable information (PII). Today, the risks are even more widespread. Companies that maintain PII or other sensitive records on a network or that conduct business online have addressed (or should address) these risks through privacy policies, employee training, incident response plans, contractual protections with vendors, and network security technology. Given the ever-increasing sophistication of hackers, however, it is unlikely that such policies, procedures, and contractual provisions will be sufficient to entirely eliminate the risk of a data breach. Consequently, companies should also consider whether cyber-risk insurance should be part of their risk management approach.