Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Breach Insurance

Enterprises investigate various insurance plans to recoup costs of security breaches, data losses

In the aftermath of a manmade or natural disaster, the questions come more or less in this order:

"Is it over?"

"Is everyone OK?"

"Do you have insurance?"

When it comes to natural disasters, such as floods or tornadoes, most companies wouldn't even consider going a day without insurance. But when it comes to network disasters, such as break-ins or insider sabotage, most companies don't have any insurance at all.

"It's still a new idea for most companies," says Julie Davis, executive vice president and managing director at Wired for Growth, a unit of Aon, a major risk assessment and insurance brokerage. "But it's one of the fastest-growing areas of the insurance business. We have a line at the door of companies that want to talk to us about it."

Security insurance -- the cool term today is network risk insurance -- has been around for a decade. Once called cyberinsurance and still sometimes known as cyber liability insurance, these terms all describe ways that a company can protect itself against the eventuality of a business-crippling hack, data loss, or privacy violation.

For an annual premium as low as $1,500 a year -- or as high as several hundred thousand -- enterprises can buy policies that will reimburse them in the event of unauthorized system access, stored data losses, customer privacy violations, cyber extortion, and cyber terrorism. Depending on the coverage, your company could receive reimbursements not only for downtime caused by a hack, but for lost business or legal settlements with complaining customers.

It's all about risk, insurance experts say. If you work in a company that's a high-risk target, and maintains shoddy security systems and practices, you can expect to pay a high premium for insurance. If you're in a lower-risk industry and your security systems are all state of the art, your insurance costs will be much lower.

"Choosing coverage is something that depends on the business and the risks it faces," says Davis. "You have to identify your biggest risks and work with a broker to find the best plan."

If your company handles credit cards, for example, you should insure yourself against privacy violations and the loss of personal information, Davis says. If you're a game developer, you'll be less concerned about privacy and more concerned about copyright infringement. A site like MySpace has to concern itself with liability costs associated with libel or other offenses that might be committed via the site.

There are many types of coverage -- AIG's NetAdvantage plan alone has 10 different offerings -- but they can all be divided into "first party" or "third party" coverage, experts explain. First-party coverage insures your business against losses that might occur in the event that business is lost during a security-related system interruption. Third-party coverage insures the business against liability in the event of lost, stolen, or damaged data.

"Almost all of the interest we're seeing so far is of the third-party variety," says Davis. "We have written very few first-party policies, but third-party coverage is becoming increasingly popular." Many online businesses shy away from first-party policies because it can be difficult to deliver quantifiable proof of business losses in the event that a virtual product or service is interrupted, she says.

Just how popular is network risk insurance? Market figures are hard to come by, but a recent John Line/Betterley Report estimates that the annual gross written premium in the U.S. in 2006 was between $300 and $350 million. Other estimates range as high as $500 million, but when you consider the hundreds of billions of dollars made across all industries each year, it is clear that U.S. companies are underinsured against security threats.

"Most companies we talk to haven't done anything yet, even though this is not a new market," Davis says.

But with growing compliance requirements and state laws mandating security breach disclosure, the costs of a security failure are becoming more evident, experts say. High-profile cases such as TJX Companies and the U.S. Veterans Administration are causing many enterprises to look more closely at the coverage options, they observe.

Currently, there are 11 carriers offering cyber-related insurance plans, and many more brokers that handle their business. "To get this type of coverage, you have to go through a broker," Davis says. "The problem is that it's a new market, and there are very few brokers that really understand it."

Indeed, there are a wide variety of cyber-related insurance coverage options, and most of them don't compare on an apples-to-apples basis. AIG, for example, offers separate coverage for information assets and for privacy liability, where other providers might not break those risks into separate products, or might break them a different way.

In a study conducted several years ago, Gartner found that many IT people believed security issues were covered by riders in their business insurance policies, only to find out later that they weren't. "It's something they should look into," Davis says.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-31922
PUBLISHED: 2021-05-14
An HTTP Request Smuggling vulnerability in Pulse Secure Virtual Traffic Manager before 21.1 could allow an attacker to smuggle an HTTP request through an HTTP/2 Header. This vulnerability is resolved in 21.1, 20.3R1, 20.2R1, 20.1R2, 19.2R4, and 18.2R3.
CVE-2021-32051
PUBLISHED: 2021-05-14
Hexagon G!nius Auskunftsportal before 5.0.0.0 allows SQL injection via the GiPWorkflow/Service/DownloadPublicFile id parameter.
CVE-2021-32615
PUBLISHED: 2021-05-13
Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
CVE-2021-33026
PUBLISHED: 2021-05-13
The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
CVE-2021-31876
PUBLISHED: 2021-05-13
Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...