Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

December 09, 2002 — CSO — It can go by any number of names—the cyberhurricane or the digital earthquake—but the concept is the same: it's all about computer crime. crime at a magnitude so enormous that it threatens to disrupt the Internet, affecting the communications and business operations of a large number of companies simultaneously.

A constant onslaught of minievents have primed CSOs for the credibility of this notion. From the I Love You virus to Nimda, Code Red, Klez and Bugbear, security executives have had a sufficient taste of the financial costs and management headaches associated with fending off cyberattacks to understand that the threat to their companies is real. And potentially greater hazards loom on the horizon—superworms and cyberterrorism to name just a few.

So call it what you will, CSOs increasingly stand poised for The Big One.

While such an event poses an ever-present fear for CSOs, insurance companies see it as both a business opportunity and a challenge. Many insurers are marketing e-risk insurance products specially tailored to address the corporate security risks posed by the Internet, but the process behind offering e-risk insurance is currently much more an art than it is a science.

Cybercoverage

Mainstream business insurance policies were never meant to cover the astronomical financial and reputational costs that a virus or other technology-related business disruption can cause. The publicized theft of sensitive corporate data like credit card numbers has hastened a number of companies, such as Flooz.com, into bankruptcy. And in just the first five days of circulation, the I Love You virus cost businesses $6.7 billion, according to researcher Computer Economics. The insurance industry's reaction to the growing risks posed by Internet activity has been twofold: First, they've written exclusions into their basic business policies that Internet-related risks will not be covered. Second, they've seized the opportunity to develop and market specially tailored cyberinsurance or e-risk policies that offer specific coverage against hackers, viruses and cyberextortion. Policies like that would once have only made sense for customers that were betting their entire business on the Web, but the Internet has become so tightly woven into the operations of most large organizations that that is no longer the case. "Most companies with websites have gone from putting out brochures to being high-intensity publishers," says David O'Neill, vice president for e-business solutions at Zurich North America. "That opens the door to copyright, trademark infringement, electronic extortion and other computer crimes."

Policies vary widely in terms of what they cover. Some take a cafeteria approach, allowing companies to pick and choose only the specific coverage they require. But the challenge is that, while there's no shortage of security statistics coming out of law enforcement and security research companies, very little has been done to map those figures to the financial losses actually incurred by companies. Consequently, insurers are still deciding how to price the coverage. And because the actuarial models behind the policies are vague and differ greatly between insurers, companies looking for an e-risk policy are often comparing apples with oranges. To further muddy the waters, the pressure on companies to assess, mitigate or transfer any perceived risks to their business viability has never been greater. So what's the risk-sensitive CSO to do? Here's what you'll need to know when evaluating cyberinsurance.