Ever vigilant about security, CIOs regularly review reports on potential breaches to the network and company Web sites—especially after the events of 9/11. Today’s IS groups respond to possible threats by installing the latest patches and virus updates. But is that enough?
Vigilance and action are certainly essential. So is a comprehensive security policy, as explained in a recent TechRepublic article, "Why you need a wireless policy," which emphasized the importance of setting security goals, benchmarks, and systems architecture standards.
But what if something happens despite all of your company's security precautions? What recourse would you have once someone cracks into a database and steals credit card numbers (an event that actually happened to a large online retailer during the 2000 holiday season)? How can you protect your company from a potential massive financial loss?
One good backup plan may be a cyberinsurance policy that protects companies from third-party lawsuits and loss of income in the event a hacker damages your company's site or network, or those of a client.
In this article, we'll talk with the sellers and buyers of cyberinsurance products about why companies may want to consider insurance as part of the security mix.
A growing interest in insurance
According to an "E-Risk Survey" published in May 2000 by Assurex, the world’s largest privately held insurance brokerage group, most companies have strong security measures, such as firewalls, encryption systems, and virus software. But 86 percent of respondents reported that they either didn’t have cyberinsurance or weren’t sure if other company policies would protect the organization against losses related to technology disasters.
Now, almost two years later, it’s likely that that percentage has dropped considerably, as companies are savvier about the need for cyberinsurance policies, said Thomas Harvey, Assurex’s president and CEO. One indication is that Harvey has seen cyberpolicy sales grow 30 to 40 percent over the past year.
Part of the increase is attributed to the effects of 9/11, as terrorism has “changed the shape of demand” for cyberinsurance, Harvey explained. The increased concerns are also impacting premiums on all corporate insurance policies, with costs predicted to rise 10 to 20 percent this year alone.
“Terrorism brings this whole thing to reality,” said Harvey, as corporations now realize that networks and sites could crash through no fault of the organization. Harvey also attributes the increase in insurance sales to a better-educated sales force that knows more about their products.
No matter what the driving forces may be, the interest in cyberinsurance is definitely spiking. Today, a company can cover losses associated with computer virus transmission, denial of service attacks, unauthorized access and use of systems, and even media liability, which can occur when a site is deemed to be publishing defamatory or otherwise illegal content.
Companies are covering all the bases
While companies that create or implement technology most likely already have liability coverage for errors and omissions in code and software, they’re also now buying cyberinsurance as well, according to Mike Zeldes, who directs the cyberinsurance division of New York City-based Kaye Insurance Associates.
Yet it’s not only technology companies that are buying policies. Companies both large and small with cyberexposure are seeking more insurance protection, said Zeldes.
For example, one of Zeldes’ customers was concerned that hackers would break into his online system—an event that could likely prompt customer lawsuits. To protect against the possibility, the client took out a $1 million liability coverage policy at a cost of $5,000.
Kenneth Bob, CEO of Safewww, Inc., a New York-based authentication-solutions provider, believes cyberinsurance is a necessity these days.
“For the peace of mind, I think it’s an important cost of doing business,” he said, adding, “I don’t skimp on security because of the [costs of] insurance. If something—the unexpected—happens, we’re covered.”
After choosing to purchase a cyberinsurance policy this past December, Safewww found the underwriting process fairly easy. No physical audit was necessary, and in a month’s time, Bob filed a complete written disclosure report, including information about the company, its network, and the security measures in place.
Bob advises skeptics to examine how internal private assets are actually being protected before dismissing the idea of purchasing cyberinsurance. Just as with homeowner's insurance, explained Bob, protecting property value (in this case, an organization’s assets) refers to more than just insuring the house itself; it also means that the contents of the house (network service or client data, for example) must be protected. Similar to traditional insurance approaches, cyberinsurance policies can protect organizations on a per-incident basis or can include coverage caps.
Zeldes believes that many companies don’t have cyberinsurance for one reason: They’re simply not aware that it’s available. But, possibly more frightening, is that many enterprises do not realize that asset liabilities that once were insured are no longer covered under today's policies. For example, many insurance companies used to cover company losses due to computer viruses, but that is now being excluded in many cases, said Zeldes.
Zeldes, along with Harvey and Bob, advise CIOs and corporate leaders to understand what’s at risk when a breach occurs and to review what is covered by current company insurance policies. The newest security tool tech leaders need to add to today’s arsenal may indeed require a phone call to the insurance broker.
Do you have cyberinsurance?
TechRepublic wants to know why you signed on for cyberinsurance or what’s holding you back from purchasing a policy. Write and tell us or share your insight or opinion of this approach to security by starting a discussion below.