Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

The Critical Infrastructure Protection Board (CIPB), which was established by President Bush in October 2001, has taken a keen interest in the insurance industry. When a weather-related disaster occurs, the government can send in the Federal Emergency Management Agency, or FEMA, to provide recovery assistance and funding, but there is no such mechanism for a cyber-based event. With nearly 90 percent of the critical infrastructure in the hands of private industry, the government wants to ensure that there is a relief function in place. The government is hoping cyberinsurance will gain currency among companies and assume that role. To make that happen, the CIPB has developed a working group with insurance industry members to try to pool the data that exists within the government and the insurance industry to develop actuarial tables. It's a difficult process that's expected to continue into 2005. "The data exists in many sources within the private and government sectors," says Grange, a member of the working group. "There's a complete alignment in interest between private sector insurance and the government in terms of cyber-risk management and the need to understand the bottom-line costs."

While sharing data might sound like a fairly simple process, it's fraught with complexities: from the age-old problem of companies unwilling to confess the details of a security breach to the absence of legal precedent for the liability that companies could face in a court of law due to a security breach. "Nobody really knows what data they're looking for," says a source close to Richard Clarke, President Bush's cybersecurity adviser. "Companies have traditionally not factored in cyberlosses. When Code Red and Nimda happened, some companies took a big hit, but there were no metrics for tracking what it costlost productivity, the IT department's time. Nobody knows how to estimate it."

Given that, insurers are taking two basic elements into account in setting the premiums for their e-risk policies. The first is the security audit that most insurers require as a prerequisite to coverage. The audit (conducted by a third-party security management company) usually involves the submission of an application overview of the company's operations and completion of a security questionnaire. Most auditors will also take a close look at the security policies a company has in placehow often passwords are changed and antivirus updates are run, and the policies that govern employee access and use of systems. Depending on the policy's requirements, that step may be followed up with penetration testing and social engineering exercises designed to plumb the company's susceptibility to external attacks. And in case you're thinking that the serious security breach you had this year will make you an unattractive candidate to an insurer, you shouldn't worry. "The best time to insure a company is after the fire," says O'Neill. "That's when they're likely to have the best fire suppression system and sprinklers."