Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Breach Insurance

Enterprises investigate various insurance plans to recoup costs of security breaches, data losses

In the aftermath of a manmade or natural disaster, the questions come more or less in this order:

"Is it over?"

"Is everyone OK?"

"Do you have insurance?"

When it comes to natural disasters, such as floods or tornadoes, most companies wouldn't even consider going a day without insurance. But when it comes to network disasters, such as break-ins or insider sabotage, most companies don't have any insurance at all.

"It's still a new idea for most companies," says Julie Davis, executive vice president and managing director at Wired for Growth, a unit of Aon, a major risk assessment and insurance brokerage. "But it's one of the fastest-growing areas of the insurance business. We have a line at the door of companies that want to talk to us about it."

Security insurance -- the cool term today is network risk insurance -- has been around for a decade. Once called cyberinsurance and still sometimes known as cyber liability insurance, these terms all describe ways that a company can protect itself against the eventuality of a business-crippling hack, data loss, or privacy violation.

For an annual premium as low as $1,500 a year -- or as high as several hundred thousand -- enterprises can buy policies that will reimburse them in the event of unauthorized system access, stored data losses, customer privacy violations, cyber extortion, and cyber terrorism. Depending on the coverage, your company could receive reimbursements not only for downtime caused by a hack, but for lost business or legal settlements with complaining customers.

It's all about risk, insurance experts say. If you work in a company that's a high-risk target, and maintains shoddy security systems and practices, you can expect to pay a high premium for insurance. If you're in a lower-risk industry and your security systems are all state of the art, your insurance costs will be much lower.

"Choosing coverage is something that depends on the business and the risks it faces," says Davis. "You have to identify your biggest risks and work with a broker to find the best plan."

If your company handles credit cards, for example, you should insure yourself against privacy violations and the loss of personal information, Davis says. If you're a game developer, you'll be less concerned about privacy and more concerned about copyright infringement. A site like MySpace has to concern itself with liability costs associated with libel or other offenses that might be committed via the site.

There are many types of coverage -- AIG's NetAdvantage plan alone has 10 different offerings -- but they can all be divided into "first party" or "third party" coverage, experts explain. First-party coverage insures your business against losses that might occur in the event that business is lost during a security-related system interruption. Third-party coverage insures the business against liability in the event of lost, stolen, or damaged data.

"Almost all of the interest we're seeing so far is of the third-party variety," says Davis. "We have written very few first-party policies, but third-party coverage is becoming increasingly popular." Many online businesses shy away from first-party policies because it can be difficult to deliver quantifiable proof of business losses in the event that a virtual product or service is interrupted, she says.

Just how popular is network risk insurance? Market figures are hard to come by, but a recent John Line/Betterley Report estimates that the annual gross written premium in the U.S. in 2006 was between $300 and $350 million. Other estimates range as high as $500 million, but when you consider the hundreds of billions of dollars made across all industries each year, it is clear that U.S. companies are underinsured against security threats.

"Most companies we talk to haven't done anything yet, even though this is not a new market," Davis says.

But with growing compliance requirements and state laws mandating security breach disclosure, the costs of a security failure are becoming more evident, experts say. High-profile cases such as TJX Companies and the U.S. Veterans Administration are causing many enterprises to look more closely at the coverage options, they observe.

Currently, there are 11 carriers offering cyber-related insurance plans, and many more brokers that handle their business. "To get this type of coverage, you have to go through a broker," Davis says. "The problem is that it's a new market, and there are very few brokers that really understand it."

Indeed, there are a wide variety of cyber-related insurance coverage options, and most of them don't compare on an apples-to-apples basis. AIG, for example, offers separate coverage for information assets and for privacy liability, where other providers might not break those risks into separate products, or might break them a different way.

In a study conducted several years ago, Gartner found that many IT people believed security issues were covered by riders in their business insurance policies, only to find out later that they weren't. "It's something they should look into," Davis says.

— Tim Wilson, Site Editor, Dark Reading

Tim Wilson is Editor in Chief and co-founder of Dark Reading.com, UBM Tech's online community for information security professionals. He is responsible for managing the site, assigning and editing content, and writing breaking news stories. Wilson has been recognized as one ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-36197
PUBLISHED: 2021-05-13
An improper access control vulnerability has been reported to affect earlier versions of Music Station. If exploited, this vulnerability allows attackers to compromise the security of the software by gaining privileges, reading sensitive information, executing commands, evading detection, etc. This ...
CVE-2020-36198
PUBLISHED: 2021-05-13
A command injection vulnerability has been reported to affect certain versions of Malware Remover. If exploited, this vulnerability allows remote attackers to execute arbitrary commands. This issue affects: QNAP Systems Inc. Malware Remover versions prior to 4.6.1.0. This issue does not affect: QNAP...
CVE-2021-28799
PUBLISHED: 2021-05-13
An improper authorization vulnerability has been reported to affect QNAP NAS running HBS 3 (Hybrid Backup Sync. ) If exploited, the vulnerability allows remote attackers to log in to a device. This issue affects: QNAP Systems Inc. HBS 3 versions prior to v16.0.0415 on QTS 4.5.2; versions prior to v3...
CVE-2021-22155
PUBLISHED: 2021-05-13
An Authentication Bypass vulnerability in the SAML Authentication component of BlackBerry Workspaces Server (deployed with Appliance-X) version(s) 10.1, 9.1 and earlier could allow an attacker to potentially gain access to the application in the context of the targeted user’s acco...
CVE-2021-23134
PUBLISHED: 2021-05-12
Use After Free vulnerability in nfc sockets in the Linux Kernel before 5.12.2 allows local attackers to elevate their privileges. In typical configurations, the issue can only be triggered by a privileged local user with the CAP_NET_RAW capability.