Which is why we are considering cyber-insurance. This was an idea first advanced by my company's board of directors. It didn't make sense to me at first, because I think we really are doing everything reasonable to prevent an attacker from breaking into our network, so why pay for coverage for something I don't think is going to happen? But then again, as I said, nothing can be 100% secure. So the more I think about it, the more insurance to cover the costs of a security breach seems to make sense (assuming that the coverage is legitimate, and broad enough to cover the real-world attack scenarios we may experience, and the insurance company won't try to weasel out of paying if we do get breached). The coverage can pay for the costs of investigating, reporting and remediating the breach.
However, not surprisingly, the policies I looked at varied widely on these factors. I looked at several policies that were pathetically weak, directly excluding most of the real-world threats we are concerned about, and placing unreasonable limits on others, while providing coverage for the less likely scenarios. But there were a couple that do cover things I think are possible -- such as hackers exploiting improperly configured servers, networks or firewalls to gain access to our network, or clueless employees that get their computers infected with malware through opening email attachments or visiting malicious websites, resulting in an intrusion or data theft. Those better policies cover the costs of forensic investigation, notifications and cleanup.
So now my opinion on the value of cyber-insurance has done a 180. What at first I thought was pointless may in fact turn out to be a reasonable value. I'll continue reviewing and discussing these policies with the management at my company, but I think we will decide to get the coverage.