Cybersecurity Insurance: Safety at a Premium

Are your intangible assets protected? Here's how to choose the right cyberinsurance policy for your company.

Assess weaknesses. A thorough risk analysis should include a gap analysis. What is the company's current security-breach coverage under other policies? Pay attention to the gaps between physical and cybersecurity coverage. Most traditional insurance policies will cover physical security breaches within the four-wall operations of the companylike the theft of a computer from someone's desk or a break-in where an individual absconds with sheafs of valuable information. But the physical and cybersecurity worlds intersect in so many different ways that a thorough gap analysis should be done to uncover any potential holes in coverage. One technique for accomplishing that is to purchase cyberinsurance coverage from the same insurer that provides your traditional physical coverage.

Share information. CSOs should also open a dialogue with other business leaders to ensure that they understand what cyberinsurance doesand does notcover. The scope of most policies is quite narrow, and while it may underwrite failures in the company's e-commerce operations or applications, it won't underwrite the Web, for instance. And if the ISP goes down and the company can't conduct business, it's likely the loss won't be covered. All the important players in the corporate hierarchy should understand the policy's boundaries so that when there is a security- or technology-related problem, everyone has the same expectations.

Business unit leaders can also help CSOs hammer out the right policy with insurers. For example, if a business unit conducts $150,000 over its e-business network per hour, it will be important to ensure that the policy indemnifies the system in question for at least that amount.

Pay attention to detail. CSOs should note any exclusions that are written into an e-risk policy. Some insurers will offer coverage for security breaches that are perpetrated by external individuals, but not by employees. The assumption is that an internal user poses a far greater risk and can inflict substantially greater losses. Some companies in the past year have also inserted exclusions into their policies that stipulate they will not cover cyberlosses as the result of terrorism. Determining whether a hack is an act of terror could be a sticky issue between CSOs and insurers. At The Chubb Group, Grange notes that they have decided not to make a terrorism exclusion. "It seems to us that, from a customer perspective, one does not make a distinction between a regular hacker and a political hacker," he says. "I don't care who launches the virus against you, a virus is a virus is a virus. Just like a fire is a fire is a fire." Some companies that have a terrorism exclusion will offer you the opportunity to buy that coverage back if you wish.