Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

Regulatory developments are also going to increase the pressure on companies to account for and mitigate risk. The Basel Capital Accord, which was developed in 1988 by an international banking organization to promote the safety of the global financial system, has been updated with new regulations that are due to take effect in 2004. The new accord will specify methodologies by which financial institutions must measure their operational riskthe risk of direct or indirect loss due to inadequate or failed internal processes, people and systems or external events. That risk measure forms the basis for a calculation of the amount of capital an institution must set aside in reserves to cover potential losses. For the banking industry, many of those operational risks will revolve around the use of technology, and being able to offset some of that risk to insurance will be an attractive option and may reduce the amount of capital that an institution has to keep on hand. Weird ScienceQuantifying the losses from a breach in security is a complex processand one with which the insurance industry has struggled for years. After all, if somebody steals the computer on your desk, that's pretty much a known value and the claim is for the cost of replacement. When data is lost, the value is much harder to quantify. One could calculate the cost of reconstructing that particular record, but that figure doesn't account for the intellectual property value the stored data can have.

And what if the data were a pharmaceutical formula for a groundbreaking new drug and it was stolen and sold to a competitor? The entire company is less valuable because that information has been compromised. "The value of data is difficult to determine, and the value is often only relevant to that particular organization," says Doug McCarthy, senior operations analyst in technology underwriting for The St. Paul Cos. Given the difficulty of placing a value on that kind of intangible information, it's important that CSOs work with an insurer that shows a keen understanding of its industry.

Most lines of coverage in the insurance industry are backed by precise actuarial tables that inform the pricing process. For example, an auto insurer can look at the accident and theft rates for the state you live in, your driving record and the value of your car, and figure out precisely how much it should charge for coverage. The actuarial tables for cyberinsurance are still a work in progress, but an interesting partnership has been developing between the government and the insurance industry to try and flesh out those figures.