You've shored up the firewall, implemented intrusion detection and deployed strong authentication. But there's one more security measure you can take to protect your company's electronic assets: Buying insurance. Several carriers now offer security insurance to help you manage the risks posed by cyberspace.

"Achieving 100% security is impossible," says Greg Grant, director of marketing and alliances for Internet Security Services (ISS) in Atlanta.

"There is still a risk, and IT professionals should advise management to consider cyber insurance." Policies have been available for two years, but demand languished until businesses witnessed this year's dramatic denial-of-service attacks and e-mail viruses. "Interest really accelerated in the last six months," says Kae Lovaas, vice president of technology underwriting for St. Paul Companies in Minnesota.

However, many executives are still unaware that general business insurance doesn't cover Internet losses. These policies cover physical losses from threats known in the 1960s, when cyberspace was largely science fiction.

They are also based on net income, which doesn't help e-businesses that don't generate profits yet.

There are three main categories of IT insurance: Liability coverage for content injury and damage to third parties; property and business interruption coverage for damages to electronic assets from hacker and virus attacks; and computer crime coverage for losses from theft of electronic assets or computer-related extortion.

Providers include AIG, Gulf Underwriters, J.S. Wurzler Underwriting Managers, Lloyd's of London and Marsh.

Policy pricing

The largest cyber-insurance policies cover damages of up to $200 million, with typical premiums ranging from $10,000 to $25,000 per million per year.

Business-interruption coverage is based on an e-commerce site's sales volume and security. A firm with $40 million per year in Web sales might spend $50,000 to $70,000 per year on a policy covering a 60-day business outage, Wurzler says. A smaller firm could get $100,000 in coverage for $1,000 to $2,000.

Liability insurance starts at $2,500 per year for up to $1 million in coverage. Computer crime premiums are higher - perhaps $7,000 per year per $1 million - because such losses, including employee theft, tend to be large.

Observers wonder where these rates come from. Traditional premiums are based on decades of historical data, which doesn't exist yet in cyberspace.

"Given the reluctance to report security problems, it's hard to collect actuarial data even when it does exist," says Dan Farmer, a computer security researcher for EarthLink in San Francisco.

Insurance experts acknowledge the problem. "There is an element of feel to these rates," says Christopher Keegan, a vice president at Marsh in New York.

"Annual premiums for $25 million in coverage range from $25,000 to $125,000," says Richard Huunter, managing vice president of consulting for Gartner Group's eMetrix practice. "You don't see a 500% range in traditional premiums. That tells me insurance companies don't know how to assess the risk." However, insurance executives downplay fraud potential.

"The errors and omissions losses we've been dealing with for years could be fabricated just as easily," Marsh's Keegan says. "We're more concerned about the

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine