Cybersecurity Insurance: Safety at a Premium

The process behind the pricing of the embryonic market for cyberinsurance is not all that different from the way other markets have developed. "I compare it with the way the environmental market built out," says Harrison Oellrich, a managing director of Guy Carpenter & Co. "The initial forms and exposures were very similar in that there was no data to underpin the rates. People began by putting a very restrictive policy form with very high pricing on the market; and over time, as they began to develop experience, they were able to broaden policy forms and modify the pricing significantly." Tips for the CSOGiven the uncertainty surrounding the pricing of cyberinsurance and the growing pressure on companies to seek such protection, the best thing a CSO can do is to judiciously examine each policy to determine how well it matches his company's needs. And forging a close relationship with the company's risk manager will be critical to that process. "Often, it's the first time they've even met one another, which is frightening," says Tracey Vispoli, assistant vice president and cyber solutions manager at The Chubb Group. "We're there to talk about risk, not technology. How much risk the organization wants to keep and how much it wants to transfer. When you put it on the business level of risk, everyone speaks the same language."

Here are some other things you can do.

Prioritize assets. Working together, the CSO and risk managers should develop an inventory of the company's technology risks and assets, prioritizing the assets that need to be recovered first and the points of failure that could result in widespread risk to the organization. "While CSOs tend to be experts in risk identification and mitigation, they have little experience with the alternatives for transferring the financial impact of losses from the balance sheetin other words, how can they hedge their bets," says Grange. "That's why a risk management model applies."

Assess weaknesses. A thorough risk analysis should include a gap analysis. What is the company's current security-breach coverage under other policies? Pay attention to the gaps between physical and cybersecurity coverage. Most traditional insurance policies will cover physical security breaches within the four-wall operations of the companylike the theft of a computer from someone's desk or a break-in where an individual absconds with sheafs of valuable information. But the physical and cybersecurity worlds intersect in so many different ways that a thorough gap analysis should be done to uncover any potential holes in coverage. One technique for accomplishing that is to purchase cyberinsurance coverage from the same insurer that provides your traditional physical coverage.

Share information. CSOs should also open a dialogue with other business leaders to ensure that they understand what cyberinsurance doesand does notcover. The scope of most policies is quite narrow, and while it may underwrite failures in the company's e-commerce operations or applications, it won't underwrite the Web, for instance. And if the ISP goes down and the company can't conduct business, it's likely the loss won't be covered. All the important players in the corporate hierarchy should understand the policy's boundaries so that when there is a security- or technology-related problem, everyone has the same expectations.

Business unit leaders can also help CSOs hammer out the right policy with insurers. For example, if a business unit conducts $150,000 over its e-business network per hour, it will be important to ensure that the policy indemnifies the system in question for at least that amount.

Pay attention to detail. CSOs should note any exclusions that are written into an e-risk policy. Some insurers will offer coverage for security breaches that are perpetrated by external individuals, but not by employees. The assumption is that an internal user poses a far greater risk and can inflict substantially greater losses. Some companies in the past year have also inserted exclusions into their policies that stipulate they will not cover cyberlosses as the result of terrorism. Determining whether a hack is an act of terror could be a sticky issue between CSOs and insurers. At The Chubb Group, Grange notes that they have decided not to make a terrorism exclusion. "It seems to us that, from a customer perspective, one does not make a distinction between a regular hacker and a political hacker," he says. "I don't care who launches the virus against you, a virus is a virus is a virus. Just like a fire is a fire is a fire." Some companies that have a terrorism exclusion will offer you the opportunity to buy that coverage back if you wish.

Know the facts. One finaland perennially difficultissue is if, when or how the authorities will be notified in the event of a breach. O'Neill suggests that CSOs have that conversation with their insurer up front as some companies have policies that mandate calling the authorities, which can sometimes make it harder for the company to get back up and running. "When you engage the feds, they will draw yellow tape around the affected systems and impair a company's ability to gain forensic information," says Sanjay Mehta, vice president of business development at TruSecure. If the systems are physically quarantined, the effort to restore business continuity can be dragged out indefinitely.

The best advice for CSOs that are weighing cyberinsurance coverage is the familiar adage: Let the buyer beware. Many of the differences between individual cyberinsurance policies are found in the small print, and CSOs who carefully analyze the details of their coverage will be better protected ifor whenThe Big One comes along.