informa
5 min read
article

Breach Insurance

Enterprises investigate various insurance plans to recoup costs of security breaches, data losses

In the aftermath of a manmade or natural disaster, the questions come more or less in this order:

"Is it over?"

"Is everyone OK?"

"Do you have insurance?"

When it comes to natural disasters, such as floods or tornadoes, most companies wouldn't even consider going a day without insurance. But when it comes to network disasters, such as break-ins or insider sabotage, most companies don't have any insurance at all.

"It's still a new idea for most companies," says Julie Davis, executive vice president and managing director at Wired for Growth, a unit of Aon, a major risk assessment and insurance brokerage. "But it's one of the fastest-growing areas of the insurance business. We have a line at the door of companies that want to talk to us about it."

Security insurance -- the cool term today is network risk insurance -- has been around for a decade. Once called cyberinsurance and still sometimes known as cyber liability insurance, these terms all describe ways that a company can protect itself against the eventuality of a business-crippling hack, data loss, or privacy violation.

For an annual premium as low as $1,500 a year -- or as high as several hundred thousand -- enterprises can buy policies that will reimburse them in the event of unauthorized system access, stored data losses, customer privacy violations, cyber extortion, and cyber terrorism. Depending on the coverage, your company could receive reimbursements not only for downtime caused by a hack, but for lost business or legal settlements with complaining customers.

It's all about risk, insurance experts say. If you work in a company that's a high-risk target, and maintains shoddy security systems and practices, you can expect to pay a high premium for insurance. If you're in a lower-risk industry and your security systems are all state of the art, your insurance costs will be much lower.

"Choosing coverage is something that depends on the business and the risks it faces," says Davis. "You have to identify your biggest risks and work with a broker to find the best plan."

If your company handles credit cards, for example, you should insure yourself against privacy violations and the loss of personal information, Davis says. If you're a game developer, you'll be less concerned about privacy and more concerned about copyright infringement. A site like MySpace has to concern itself with liability costs associated with libel or other offenses that might be committed via the site.

There are many types of coverage -- AIG's NetAdvantage plan alone has 10 different offerings -- but they can all be divided into "first party" or "third party" coverage, experts explain. First-party coverage insures your business against losses that might occur in the event that business is lost during a security-related system interruption. Third-party coverage insures the business against liability in the event of lost, stolen, or damaged data.

"Almost all of the interest we're seeing so far is of the third-party variety," says Davis. "We have written very few first-party policies, but third-party coverage is becoming increasingly popular." Many online businesses shy away from first-party policies because it can be difficult to deliver quantifiable proof of business losses in the event that a virtual product or service is interrupted, she says.

Just how popular is network risk insurance? Market figures are hard to come by, but a recent John Line/Betterley Report estimates that the annual gross written premium in the U.S. in 2006 was between $300 and $350 million. Other estimates range as high as $500 million, but when you consider the hundreds of billions of dollars made across all industries each year, it is clear that U.S. companies are underinsured against security threats.

"Most companies we talk to haven't done anything yet, even though this is not a new market," Davis says.

But with growing compliance requirements and state laws mandating security breach disclosure, the costs of a security failure are becoming more evident, experts say. High-profile cases such as TJX Companies and the U.S. Veterans Administration are causing many enterprises to look more closely at the coverage options, they observe.

Currently, there are 11 carriers offering cyber-related insurance plans, and many more brokers that handle their business. "To get this type of coverage, you have to go through a broker," Davis says. "The problem is that it's a new market, and there are very few brokers that really understand it."

Indeed, there are a wide variety of cyber-related insurance coverage options, and most of them don't compare on an apples-to-apples basis. AIG, for example, offers separate coverage for information assets and for privacy liability, where other providers might not break those risks into separate products, or might break them a different way.

In a study conducted several years ago, Gartner found that many IT people believed security issues were covered by riders in their business insurance policies, only to find out later that they weren't. "It's something they should look into," Davis says.

— Tim Wilson, Site Editor, Dark Reading