Banking

Online attacks boost sales of hacker insurance

New claims filed after the recent attack of the ILOVEYOU virus will help test whether hacker insurance is worth its cost. Can this type of policy help protect your company?


What if your company could protect against hacker attacks the same way you insure against property damage? It can.

A growing number of insurers are now offering cyberspace liability insurance. Since the February attacks on Internet giants Amazon.com and Yahoo, the number of companies inquiring about the insurance has skyrocketed, according to insurance consultant Marsh Inc.

Is it worth the money?
The Computer Security Institute recently completed a survey on computer crime. Consider some of the statistics the report compiled:
  • Ninety percent of the companies that responded detected computer breaches within the last year.
  • Forty-two percent (273 respondents) released their financial losses, which totaled $265,589,940.

Some analysts point to those numbers as a serious reason IT professionals should consider paying for protection.

Handango, an Internet start-up in Dallas that sells handheld technology and software, is one of dozens of companies that have purchased cyber insurance coverage.

“I think it comes back to the seriousness with which people are treating their Web-based businesses. They’re very important to the overall mission of companies as they grow, and that’s why you need cyber insurance to help protect that asset,” said Laura Rippy, Handango’s CEO.

Handango’s decision was a preventative measure. Because the company’s Web site is its main customer channel, everyone, including the IT department, rallied around the decision to buy cyber insurance. Handango powers the handheld sections of Yahoo, Lycos, and AltaVista, three of the top five portals.

“The Handango team knows we have to take cyber precautions seriously,” Rippy said.

How much does it cost?
Marsh Inc. recently began offering up to $200 million in coverage in its NetSecure policy. Geoffrey Fallon, Marsh’s managing director in Columbus, OH, said the policies cost “a minimum of $5,000 a year for a million dollars in coverage.” Customers range from a small start-up that’s paying $30,000 a year for $5 million in coverage, to a large online retailer, which is paying hundreds of thousands of dollars a year for the maximum coverage.

More than 60 companies have purchased the cyber coverage, and hundreds more have made inquiries. Handango’s management views the coverage as a cost of doing business, similar to purchasing any other type of insurance for a company.

“It was a little pricey, but it provides comfort in knowing that we are protecting one of our key assets,” said Rippy.

Not just for hacker attacks
Most cyber liability insurance policies don’t just cover hacker attacks. Customers can file claims for a wide variety of Internet problems. For example, NetSecure covers the following:
  • An unauthorized attack
  • Denial of Service
  • Extortion
  • Introduction or spread of a virus
  • Computer crime
  • Software injury

Just as with other types of insurance policies, your company must prove you suffered a loss in order to collect. For that reason, Fallon says Marsh is not overly concerned with companies possibly hacking their own system just to collect. “Why would a company intentionally shut down its system … say for 24 hours … just to collect insurance? It’s not like they’re going to get more collecting insurance than they would if they kept on running.”

Deciding to file a claim
Marsh began offering NetSecure in May 1999. So far, no one has filed a claim. But Bill Power, Marsh’s managing director in Houston, said several companies are in the process of deciding whether to file a claim after problems caused by the Melissa and ILOVEYOU viruses.

“What most are doing right now is quantifying their total losses,” Power said. “Unlike a fire or lightning strike in which a building burns down, cyber losses are far less exact. So with these electronic losses, people are proceeding very carefully in documentation on the front end before they approach their underwriters.”

Who should consider this insurance?
According to Jennifer Blackmore, a senior research analyst with the International Data Corporation (IDC), “Cost compared to benefit makes [cyber insurance] a necessity for any firm operating secure functions online.” Fallon goes a step further and suggests that every company using computers “should consider it because any system is subject to attack, and this is a cost-effective way of being compensated if they are attacked.”

Blackmore also points out that cyber liability insurance is not just for companies involved in e-commerce.

“There are still business risks if they use computer networks internally or publicly.”

Advice for the IT manager
Obviously, considering whether to invest in this type of insurance policy is both a business and technology decision. The IT manager may be involved if he or she needs to assess a company's business risks based on its Internet, intranet, and extranet activities. Determining those risks may require outside help.

“It is important to remember that IT managers are not risk professionals. Outside experts should be brought in to assess the business risk for the company, which may be a strong option, especially for mid- to small-size companies with limited IT staff members,” Blackmore said.

She also warned that the real danger is not taking the time to accurately assess your particular business risks and hastily taking a policy that will most likely have oversights and gaps in coverage.
Here’s a list of tips for IT managers considering cyberspace liability insurance:
  • Take the time to properly assess business risks.
  • Know what insurance and warranty coverage already exists (from hardware and third-party service providers).
  • Figure out what additional coverage is needed, tailored to your particular type of business.
  • Shop around for the best policy at the best price. (Consider using an insurance broker.)

The drawbacks
The biggest concern with cyber liability insurance is the uncertainty of how insurance companies will handle a major online disaster. The costs can be immeasurable and lead to losses for the insurance companies.

Also, critics question whether companies that buy this insurance will start to let down their guard on security measures, thinking, “If anything happens, we’re covered.”

Does Handango’s CEO think such laxity is likely? “Definitely not. I have car insurance, and I still drive safely.”

Like with any insurance, the premiums can be high and the likelihood that you will need to file a claim is low. But as Blackmore sums it up, “Peace of mind is priceless.”
What’s the most compelling argument for spending the money on hacker insurance? What would prevent you from purchasing such a policy? Post a comment below or send us a note.

Editor's Picks

Free Newsletters, In your Inbox