Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

It can go by any number of names—the cyberhurricane or the digital earthquake—but the concept is the same: it's all about computer crime. crime at a magnitude so enormous that it threatens to disrupt the Internet, affecting the communications and business operations of a large number of companies simultaneously.

A constant onslaught of minievents have primed CSOs for the credibility of this notion. From the I Love You virus to Nimda, Code Red, Klez and Bugbear, security executives have had a sufficient taste of the financial costs and management headaches associated with fending off cyberattacks to understand that the threat to their companies is real. And potentially greater hazards loom on the horizon—superworms and cyberterrorism to name just a few.

So call it what you will, CSOs increasingly stand poised for The Big One.

While such an event poses an ever-present fear for CSOs, insurance companies see it as both a business opportunity and a challenge. Many insurers are marketing e-risk insurance products specially tailored to address the corporate security risks posed by the Internet, but the process behind offering e-risk insurance is currently much more an art than it is a science.

Cybercoverage

Mainstream business insurance policies were never meant to cover the astronomical financial and reputational costs that a virus or other technology-related business disruption can cause. The publicized theft of sensitive corporate data like credit card numbers has hastened a number of companies, such as Flooz.com, into bankruptcy. And in just the first five days of circulation, the I Love You virus cost businesses $6.7 billion, according to researcher Computer Economics. The insurance industry's reaction to the growing risks posed by Internet activity has been twofold: First, they've written exclusions into their basic business policies that Internet-related risks will not be covered. Second, they've seized the opportunity to develop and market specially tailored cyberinsurance or e-risk policies that offer specific coverage against hackers, viruses and cyberextortion. Policies like that would once have only made sense for customers that were betting their entire business on the Web, but the Internet has become so tightly woven into the operations of most large organizations that that is no longer the case. "Most companies with websites have gone from putting out brochures to being high-intensity publishers," says David O'Neill, vice president for e-business solutions at Zurich North America. "That opens the door to copyright, trademark infringement, electronic extortion and other computer crimes."

Policies vary widely in terms of what they cover. Some take a cafeteria approach, allowing companies to pick and choose only the specific coverage they require. But the challenge is that, while there's no shortage of security statistics coming out of law enforcement and security research companies, very little has been done to map those figures to the financial losses actually incurred by companies. Consequently, insurers are still deciding how to price the coverage. And because the actuarial models behind the policies are vague and differ greatly between insurers, companies looking for an e-risk policy are often comparing apples with oranges. To further muddy the waters, the pressure on companies to assess, mitigate or transfer any perceived risks to their business viability has never been greater. So what's the risk-sensitive CSO to do? Here's what you'll need to know when evaluating cyberinsurance.

Push and Pull

Many corporate risk managers assume their company's commercial property/casualty policies will cover any business disruptions that result from security breaches. They're often wrong. In a recent survey of financial institutions mentioned in NYSE Magazine, more than three-quarters of the 76 percent of respondents who identified e-commerce as their number-one risk-management issue also erroneously stated that they were covered for cybercrimes under their traditional insurance policies.

Most standard business insurance policies cover only the damage or theft of tangible assets like buildings or equipment. "Computer code is deemed to be intangible," says O'Neill. "Property and casualty policies were never written to assess these exposures and were never priced to include them."

Until recently, traditional property insurance may have provided some coverage for virus-related exposures, but as of January 2002, the majority of insurers eliminated it as well. The reason: the reinsurance or secondary market—which functions like a bookie with whom the primary insurance industry lays off its bets to minimize undue risk concentration—is concerned by the notion of the cyberhurricane. "It could affect thousands of companies simultaneously with no geographic locus," potentially causing too much exposure to individual insurance companies, says Jeffrey Grange, senior vice president and global manager of fidelity and professional liability products for The Chubb Group.

The second reason insurance companies are moving cautiously in that area is the reality of insuring a post-Sept. 11 world. The prospect of significant business disruption to the telecommunications network on which technology platforms run is that much more real after 9/11. It is also considered likely that a next wave of terrorist attacks could come in the form of cyberattacks aimed at disrupting significant portions of the critical infrastructure and targeting the technology backbone of various enterprises.

The result of those market pressures has been a retrenchment on the part of insurers and reinsurers thatafter paying out tens of billions of dollars in 9/11 losseshave lost their appetite, at least in the short term, for a new market in which so many uncertainties exist. While industry insiders such as Grange expect that to be a temporary market dynamic, the consequence for companies currently seeking cyberrisk coverage will be that premiums will be higher and the policies that already require a fairly stringent security audit will be harder to qualify for.

Similar economic pressures are making cyberinsurance that much more important for companies whose risk-management practices are facing growing scrutiny by government groups and investors. For many companiesparticularly those in technology, financial services and pharmaceuticalstheir most valuable corporate assets are in the form of data. The Financial Accounting Standards Board (FASB) is now directing companies to state the value of those intangible assets in order to more accurately quantify the business's market value. As more companies discover how large a percentage of their market capitalization is in the form of computer code and stored data, the pressure to properly protect it with high security standardsand thereby transfer through insurance the risk of lossis growing.

Regulatory developments are also going to increase the pressure on companies to account for and mitigate risk. The Basel Capital Accord, which was developed in 1988 by an international banking organization to promote the safety of the global financial system, has been updated with new regulations that are due to take effect in 2004. The new accord will specify methodologies by which financial institutions must measure their operational riskthe risk of direct or indirect loss due to inadequate or failed internal processes, people and systems or external events. That risk measure forms the basis for a calculation of the amount of capital an institution must set aside in reserves to cover potential losses. For the banking industry, many of those operational risks will revolve around the use of technology, and being able to offset some of that risk to insurance will be an attractive option and may reduce the amount of capital that an institution has to keep on hand. Weird ScienceQuantifying the losses from a breach in security is a complex processand one with which the insurance industry has struggled for years. After all, if somebody steals the computer on your desk, that's pretty much a known value and the claim is for the cost of replacement. When data is lost, the value is much harder to quantify. One could calculate the cost of reconstructing that particular record, but that figure doesn't account for the intellectual property value the stored data can have.

And what if the data were a pharmaceutical formula for a groundbreaking new drug and it was stolen and sold to a competitor? The entire company is less valuable because that information has been compromised. "The value of data is difficult to determine, and the value is often only relevant to that particular organization," says Doug McCarthy, senior operations analyst in technology underwriting for The St. Paul Cos. Given the difficulty of placing a value on that kind of intangible information, it's important that CSOs work with an insurer that shows a keen understanding of its industry.

Most lines of coverage in the insurance industry are backed by precise actuarial tables that inform the pricing process. For example, an auto insurer can look at the accident and theft rates for the state you live in, your driving record and the value of your car, and figure out precisely how much it should charge for coverage. The actuarial tables for cyberinsurance are still a work in progress, but an interesting partnership has been developing between the government and the insurance industry to try and flesh out those figures.

The Critical Infrastructure Protection Board (CIPB), which was established by President Bush in October 2001, has taken a keen interest in the insurance industry. When a weather-related disaster occurs, the government can send in the Federal Emergency Management Agency, or FEMA, to provide recovery assistance and funding, but there is no such mechanism for a cyber-based event. With nearly 90 percent of the critical infrastructure in the hands of private industry, the government wants to ensure that there is a relief function in place. The government is hoping cyberinsurance will gain currency among companies and assume that role. To make that happen, the CIPB has developed a working group with insurance industry members to try to pool the data that exists within the government and the insurance industry to develop actuarial tables. It's a difficult process that's expected to continue into 2005. "The data exists in many sources within the private and government sectors," says Grange, a member of the working group. "There's a complete alignment in interest between private sector insurance and the government in terms of cyber-risk management and the need to understand the bottom-line costs."

While sharing data might sound like a fairly simple process, it's fraught with complexities: from the age-old problem of companies unwilling to confess the details of a security breach to the absence of legal precedent for the liability that companies could face in a court of law due to a security breach. "Nobody really knows what data they're looking for," says a source close to Richard Clarke, President Bush's cybersecurity adviser. "Companies have traditionally not factored in cyberlosses. When Code Red and Nimda happened, some companies took a big hit, but there were no metrics for tracking what it costlost productivity, the IT department's time. Nobody knows how to estimate it."

Given that, insurers are taking two basic elements into account in setting the premiums for their e-risk policies. The first is the security audit that most insurers require as a prerequisite to coverage. The audit (conducted by a third-party security management company) usually involves the submission of an application overview of the company's operations and completion of a security questionnaire. Most auditors will also take a close look at the security policies a company has in placehow often passwords are changed and antivirus updates are run, and the policies that govern employee access and use of systems. Depending on the policy's requirements, that step may be followed up with penetration testing and social engineering exercises designed to plumb the company's susceptibility to external attacks. And in case you're thinking that the serious security breach you had this year will make you an unattractive candidate to an insurer, you shouldn't worry. "The best time to insure a company is after the fire," says O'Neill. "That's when they're likely to have the best fire suppression system and sprinklers."

The second area that insurers are looking at is the fundamentals of your businessthe size, revenue base, industry and management. In the current economic climate, it's worth noting that financial health is also a determining characteristic. "Financials are a good indicator of being able to safeguard your company," says O'Neill. "Less-than-stellar financials suggests that you don't have the capital to put into your electronic platform." All of that information becomes part of the underwriting process and, like a home inspection, the insurer and applicant will often negotiate about certain areas that need to be fixed in order to strike a deal. Once an applicant meets the qualifying level of security, it can go further and implement additional security measures that the audit recommends. And their premium will lower accordingly.

The process behind the pricing of the embryonic market for cyberinsurance is not all that different from the way other markets have developed. "I compare it with the way the environmental market built out," says Harrison Oellrich, a managing director of Guy Carpenter & Co. "The initial forms and exposures were very similar in that there was no data to underpin the rates. People began by putting a very restrictive policy form with very high pricing on the market; and over time, as they began to develop experience, they were able to broaden policy forms and modify the pricing significantly." Tips for the CSOGiven the uncertainty surrounding the pricing of cyberinsurance and the growing pressure on companies to seek such protection, the best thing a CSO can do is to judiciously examine each policy to determine how well it matches his company's needs. And forging a close relationship with the company's risk manager will be critical to that process. "Often, it's the first time they've even met one another, which is frightening," says Tracey Vispoli, assistant vice president and cyber solutions manager at The Chubb Group. "We're there to talk about risk, not technology. How much risk the organization wants to keep and how much it wants to transfer. When you put it on the business level of risk, everyone speaks the same language."

Here are some other things you can do.

Prioritize assets. Working together, the CSO and risk managers should develop an inventory of the company's technology risks and assets, prioritizing the assets that need to be recovered first and the points of failure that could result in widespread risk to the organization. "While CSOs tend to be experts in risk identification and mitigation, they have little experience with the alternatives for transferring the financial impact of losses from the balance sheetin other words, how can they hedge their bets," says Grange. "That's why a risk management model applies."

Assess weaknesses. A thorough risk analysis should include a gap analysis. What is the company's current security-breach coverage under other policies? Pay attention to the gaps between physical and cybersecurity coverage. Most traditional insurance policies will cover physical security breaches within the four-wall operations of the companylike the theft of a computer from someone's desk or a break-in where an individual absconds with sheafs of valuable information. But the physical and cybersecurity worlds intersect in so many different ways that a thorough gap analysis should be done to uncover any potential holes in coverage. One technique for accomplishing that is to purchase cyberinsurance coverage from the same insurer that provides your traditional physical coverage.

Share information. CSOs should also open a dialogue with other business leaders to ensure that they understand what cyberinsurance doesand does notcover. The scope of most policies is quite narrow, and while it may underwrite failures in the company's e-commerce operations or applications, it won't underwrite the Web, for instance. And if the ISP goes down and the company can't conduct business, it's likely the loss won't be covered. All the important players in the corporate hierarchy should understand the policy's boundaries so that when there is a security- or technology-related problem, everyone has the same expectations.

Business unit leaders can also help CSOs hammer out the right policy with insurers. For example, if a business unit conducts $150,000 over its e-business network per hour, it will be important to ensure that the policy indemnifies the system in question for at least that amount.

Pay attention to detail. CSOs should note any exclusions that are written into an e-risk policy. Some insurers will offer coverage for security breaches that are perpetrated by external individuals, but not by employees. The assumption is that an internal user poses a far greater risk and can inflict substantially greater losses. Some companies in the past year have also inserted exclusions into their policies that stipulate they will not cover cyberlosses as the result of terrorism. Determining whether a hack is an act of terror could be a sticky issue between CSOs and insurers. At The Chubb Group, Grange notes that they have decided not to make a terrorism exclusion. "It seems to us that, from a customer perspective, one does not make a distinction between a regular hacker and a political hacker," he says. "I don't care who launches the virus against you, a virus is a virus is a virus. Just like a fire is a fire is a fire." Some companies that have a terrorism exclusion will offer you the opportunity to buy that coverage back if you wish.

Know the facts. One finaland perennially difficultissue is if, when or how the authorities will be notified in the event of a breach. O'Neill suggests that CSOs have that conversation with their insurer up front as some companies have policies that mandate calling the authorities, which can sometimes make it harder for the company to get back up and running. "When you engage the feds, they will draw yellow tape around the affected systems and impair a company's ability to gain forensic information," says Sanjay Mehta, vice president of business development at TruSecure. If the systems are physically quarantined, the effort to restore business continuity can be dragged out indefinitely.

The best advice for CSOs that are weighing cyberinsurance coverage is the familiar adage: Let the buyer beware. Many of the differences between individual cyberinsurance policies are found in the small print, and CSOs who carefully analyze the details of their coverage will be better protected ifor whenThe Big One comes along.

Insider: How a good CSO confronts inevitable bad news
Join the discussion
Be the first to comment on this article. Our Commenting Policies