Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

Many corporate risk managers assume their company's commercial property/casualty policies will cover any business disruptions that result from security breaches. They're often wrong. In a recent survey of financial institutions mentioned in NYSE Magazine, more than three-quarters of the 76 percent of respondents who identified e-commerce as their number-one risk-management issue also erroneously stated that they were covered for cybercrimes under their traditional insurance policies.

Most standard business insurance policies cover only the damage or theft of tangible assets like buildings or equipment. "Computer code is deemed to be intangible," says O'Neill. "Property and casualty policies were never written to assess these exposures and were never priced to include them."

Until recently, traditional property insurance may have provided some coverage for virus-related exposures, but as of January 2002, the majority of insurers eliminated it as well. The reason: the reinsurance or secondary market—which functions like a bookie with whom the primary insurance industry lays off its bets to minimize undue risk concentration—is concerned by the notion of the cyberhurricane. "It could affect thousands of companies simultaneously with no geographic locus," potentially causing too much exposure to individual insurance companies, says Jeffrey Grange, senior vice president and global manager of fidelity and professional liability products for The Chubb Group.

The second reason insurance companies are moving cautiously in that area is the reality of insuring a post-Sept. 11 world. The prospect of significant business disruption to the telecommunications network on which technology platforms run is that much more real after 9/11. It is also considered likely that a next wave of terrorist attacks could come in the form of cyberattacks aimed at disrupting significant portions of the critical infrastructure and targeting the technology backbone of various enterprises.

The result of those market pressures has been a retrenchment on the part of insurers and reinsurers thatafter paying out tens of billions of dollars in 9/11 losseshave lost their appetite, at least in the short term, for a new market in which so many uncertainties exist. While industry insiders such as Grange expect that to be a temporary market dynamic, the consequence for companies currently seeking cyberrisk coverage will be that premiums will be higher and the policies that already require a fairly stringent security audit will be harder to qualify for.

Similar economic pressures are making cyberinsurance that much more important for companies whose risk-management practices are facing growing scrutiny by government groups and investors. For many companiesparticularly those in technology, financial services and pharmaceuticalstheir most valuable corporate assets are in the form of data. The Financial Accounting Standards Board (FASB) is now directing companies to state the value of those intangible assets in order to more accurately quantify the business's market value. As more companies discover how large a percentage of their market capitalization is in the form of computer code and stored data, the pressure to properly protect it with high security standardsand thereby transfer through insurance the risk of lossis growing.