Print
Close Window
From: www.itworld.com
The Policy of Protection
January 3, 2001 —
You've shored up the firewall, implemented intrusion detection and deployed strong authentication. But there's one more security measure you can take to protect your company's electronic assets: Buying insurance. Several carriers now offer security insurance to help you manage the risks posed by cyberspace.
"Achieving 100% security is impossible," says Greg Grant, director of marketing and alliances for Internet Security Services (ISS) in Atlanta.
"There is still a risk, and IT professionals should advise management to consider cyber insurance." Policies have been available for two years, but demand languished until businesses witnessed this year's dramatic denial-of-service attacks and e-mail viruses. "Interest really accelerated in the last six months," says Kae Lovaas, vice president of technology underwriting for St. Paul Companies in Minnesota.
However, many executives are still unaware that general business insurance doesn't cover Internet losses. These policies cover physical losses from threats known in the 1960s, when cyberspace was largely science fiction.
They are also based on net income, which doesn't help e-businesses that don't generate profits yet.
There are three main categories of IT insurance: Liability coverage for content injury and damage to third parties; property and business interruption coverage for damages to electronic assets from hacker and virus attacks; and computer crime coverage for losses from theft of electronic assets or computer-related extortion.
Providers include AIG, Gulf Underwriters, J.S. Wurzler Underwriting Managers, Lloyd's of London and Marsh.
Policy pricing
The largest cyber-insurance policies cover damages of up to $200 million, with typical premiums ranging from $10,000 to $25,000 per million per year.
Business-interruption coverage is based on an e-commerce site's sales volume and security. A firm with $40 million per year in Web sales might spend $50,000 to $70,000 per year on a policy covering a 60-day business outage, Wurzler says. A smaller firm could get $100,000 in coverage for $1,000 to $2,000.
Liability insurance starts at $2,500 per year for up to $1 million in coverage. Computer crime premiums are higher - perhaps $7,000 per year per $1 million - because such losses, including employee theft, tend to be large.
Observers wonder where these rates come from. Traditional premiums are based on decades of historical data, which doesn't exist yet in cyberspace.
"Given the reluctance to report security problems, it's hard to collect actuarial data even when it does exist," says Dan Farmer, a computer security researcher for EarthLink in San Francisco.
Insurance experts acknowledge the problem. "There is an element of feel to these rates," says Christopher Keegan, a vice president at Marsh in New York.
"Annual premiums for $25 million in coverage range from $25,000 to $125,000," says Richard Huunter, managing vice president of consulting for Gartner Group's eMetrix practice. "You don't see a 500% range in traditional premiums. That tells me insurance companies don't know how to assess the risk." However, insurance executives downplay fraud potential.
"The errors and omissions losses we've been dealing with for years could be fabricated just as easily," Marsh's Keegan says. "We're more concerned about the volatility of laws as the e-commerce world emerges." Also, technology reduces some risks.
E-signatures may be harder to forge.
Premiums tend to be inversely proportional to the risk management the underwriter imposes. Some approve applicants based on a detailed questionnaire. Others require a security audit and ongoing monitoring.
In July, Lloyd's launched a program with Counterpane Internet Security in San Jose, Calif. If Counterpane monitors your security, you are automatically eligible for a policy covering revenue and information-asset losses caused by Internet security breaches.
J.S. Wurzler also uses extensive risk management. "The best-performing insurance companies spend up to 30 cents of each premium dollar helping clients reduce loss probability," says CEO John Wurzler. You may have to upgrade security significantly to qualify for a policy with a reasonable premium and reasonable coverage.
"The vast majority of our clients spend less than 5% of their IT budgets on security, and many spend less than 1%," Hunter says. "This contrasts with the 8% to 15% our best-of-breed clients spend. If you want to find your security holes, try to get insurance." Marsh's Web site -- www.netsecure.com -- has a self-audit exercise.
RIPTech, a managed security services provider in Alexandria, Va., educates clients about Internet insurance but says less than 5% have bought it.
Early adopters include Web-based businesses such as Handango in Hurst, Texas, which purchased a policy from Gulf Underwriters. Handango sells software and accessories for handheld computers and carries an inventory of 9,400 software titles from 3,800 developers.
"Customers download titles, so we were concerned about piracy," says Laura Rippy, Handango's CEO. Handango also powers the handheld sections of three major search portals -- Yahoo, Lycos and Alta Vista.
"Having insurance makes people look more seriously at you as a partner," Rippy adds. It also makes you look like a better investment.
"We're working on a mezzanine level of financing," says Tom Shipley, CEO of Executive Shoppe, Inc. in Altamonte Springs, Fla. A Wurzler client, the start-up does about a third of its business online. "Having insurance shows potential investors we take fiduciary responsibility seriously." Alan Paller, director of research for the Systems Administration, Networking and Security Institute in Bethesda, Md., says his organization's members -- security professionals -- are primarily interested in the seal of approval insurance might convey on prospective partners.
"Insurance is almost an afterthought," agrees Christopher Williams, chief financial officer of ISS and Marsh client LockBox Communications, a provider of outsourced e-storage for financial institutions. "The reason I'm doing it is 70% preventative, 20% credibility and 10% balance-sheet exposure."
COVER YOUR BASES
Cyber insurance: More about where you can get it:
Run by a broker in Southern California and dedicated to the cyber insurance niche. Explains the various types of coverage and who provides it.
Cool calculators: Interactive risk assessment and insurance coverage tools
Marsh Inc.'s cyber insurance Web site
Includes an interactive risk assessment exercise.
St. Paul Companies explains cyber insurance
Includes an interactive coverage calculator.
Insurance Information Institute
Has an extensive library and database, and fields requests for information from the news media, government, academia, and insurance customers.
IRMI is a research and publishing company focusing on risk management and insurance. The site includes discussions of security and Internet insurance.
Network World