Despite headline-grabbing data breaches that have proven costly to organizations in many sectors, the purchase of cyberinsurance to cover potential costs remains relatively rare. Cyber-insurance policies vary widely, but they often cover notification expenses, credit-monitoring services, and, in many cases, legal defense costs and even government penalties. “Cyber-insurance is viewed as much more of a discretionary purchase, and risk managers really have to be educated on the need to purchase the coverage and what the coverage actually provides,” says David Bradford, who published a 2012 survey that addresses cyber-insurance for RIMS, the risk information management society.