Illena Armstrong looks at some of the forces driving demand for cyberliability insurance and what companies should be looking for
Companies may know a little about the availability of cyberliability insurance, but many are still far from signing on the dotted line to buy such policies. Still, as more insurers exclude internet threats from property or other traditional corporate policies at the same time that cybercriminals continue to make their presence known, cybersecurity insurance providers grow optimistic that an upswing in purchases is on the horizon.
According to the Insurance Information Institute, the current cyberinsurance market is between $100 and $200 million. The Institute predicts this will grow to about $2.5 billion by 2005.
Mike Kihm, general manager of Aeon's TechShield Program, believes these levels will be reached as organizations' leaders come to the realization that standalone digital risk policies, just like specific insurance policies for cars or homes, are necessary elements to transferring risk. Getting to such a buoyant environment will take some time and effort, though, since "the majority of firms are unaware that [such insurance] is even available."
Driving factors
While companies are increasingly on a search for cybersecurity insurance, it is true that "the overall number of buyers is still small," says Pete McLaughlin, director of sales for SystemExperts Corporation, who once sold cyberliability insurance and was a licensed insurance broker. "One reason cybersecurity insurance may be slow getting off the ground is that risk managers and IT directors do not typically hang out with the financial folks who normally deal with insurance issues. Many financial people don't appreciate the need for the additional insurance - they don't understand that computers and networks are never 100 percent secure."
Despite this, other factors are continually bringing the benefits of having cyberliability insurance to enterprise buyers' attention, says Ty Sagalow, chief operating officer and executive vice president of AIG eBusiness Risk Solutions. For example, regulatory demands on particular vertical markets require companies to undertake certain security measures and programs to protect the privacy of individual citizens, he notes. Additionally, threats like Nimda and Code Red have shown many companies that even with security solution deployments, damage to information, reputation, and more, is often unavoidable. On top of this, the U.S. Government has cited in its National Strategy to Secure Cyberspace the importance of managing the risks to systems connected to the internet, since no technologies or plans will eliminate every possible disruption.
To Sagalow, all these factors are culminating to drive enterprises to create a total risk management plan that should include dedicated teams of IT security professionals, standards-based policies, layers of security technologies and cyberliability insurance. Such insurance can cover legal liability to others, loss or damage to data, loss of revenue due to various attacks, loss or damage to reputation, and loss of market.
Is it right for you?
Where problems can arise is in finding the right cyberliability policy to support a company's holistic risk management plan, especially when many carriers of corporate insurance policies have increasingly excluded hack attacks.
"Some, but relatively few, insurance carriers are answering the call. Most carriers are afraid, and for good reason," Sagalow says, noting that there are "no actuary tables, no hard data on frequency and variances" for any type of IT security risks. So, if companies are going to invest in strong cyberliability insurance policies, they need to be sure that their carrier is committing the resources necessary to get the job done.
To begin with, says SystemExperts' McLaughlin, organizations should start by understanding existing insurance coverage. But, for those not covered, cyberliability insurance may be the way to go - as long as "the reality of the ongoing costs of the coverage and the specific exclusions" fail to intimidate them. For this very reason, fully understanding the details of policies is of top importance - and this "means carefully reading the fine print in those long policies," which "often contain exclusions."
On the other hand, costs can turn out to be less than expected, as some insurance companies offer credits and discounts to organizations that have certain types of security technologies in place or follow specific frameworks.
AIG's Sagalow notes that since premiums are based on the quality of the company's security program, the real value of such insurance policies comes into play when assessments conducted by the insurer help the company follow best practices.
However, adds McLaughlin of SystemExperts, often these assessments are "cursory" and only conducted once, rather than establishing "an ongoing assessment program."
On the whole, however, cyberinsurance makes a lot of sense conceptually, he says. "Understanding that there is no such thing as a totally secure network, some companies may want to transfer the remaining risk to an insurance policy," he explains. "This is a solid risk management approach. But, insurance is not for everyone. Ultimately, this is a risk/benefit decision."
Illena Armstrong is U.S. editor for SC Magazine.
Running for cover from cyber-risks
If an intruder wearing a dark ski mask and black lycra breaks into your data center to beat three of your servers with a baseball bat and spray-paint them blue, don't worry, say Jon Gossels and Pete McLaughlin, because your property coverage will kick in and cover the loss. However, if a twenty-year-old dressed in a floral shirt, Bermudas and flip flops manipulates the firewall, gains access to those servers remotely, and deletes or totally alters the data residing on them, you are in trouble. Traditional insurance products do not cover such malicious activity.
Filling in the gaps
One could argue that data is property. However, logic doesn't count in the world of contracts. Increasingly, specific language in the general liability policies excludes cybercoverage.
Cyberliability coverage has been developed to 'fill in the gaps' of traditional coverage such as general and property liabilities, and technology errors and omissions. Experts in the legal and insurance industry understand that these other types of coverage fall short.
Finding insurance that fits
AIG is a leading provider of such coverage and has been providing it for a few years now. It is probably a good place to start if you are shopping for it. But, several other companies are offering competing insurance products that may provide organizations with different options and flexibility. For example, a small company named INSUREtrust claims to have been the first provider of cyberliability coverage. It began offering it back in the late 1990s and may have a more nimble approach.
Remember, it is insurance, and insurance is not difficult to understand, nor is it a new concept. Most people are familiar with the insurance-buying process, whether for a house, a car or a networked environment. Just like any other insurance, there are multiple providers with different types of coverage and not every coverage is a fit for each individual or organization.
Corporate risk managers should ask their insurance brokers about coverage and let the broker do his/her job in identifying different products and different rates. Then, like buying homeowners insurance, the risk managers should make a decision on what makes the most sense for their company. But be aware that while this type of coverage has been around for seven or eight years, it is still relatively new and immature.
Jonathan Gossels is president, and Pete McLaughlin director of sales, for SystemExperts Corporation (www.systemexperts.com).
Basing cybersecurity policies on standards
The problem with cybersecurity insurance, says Cliff May, is that there are far too many different ways in which insurers value a policy and gauge the relative security of their clients. Therefore, the implementation of an industry standard is perhaps one of the most effective ways of dealing with this issue.
Setting up a standard
Whatever technologies are put in place, it is fundamental for insurers and businesses alike to know the solution is optimized to ensure that daily activities are not disrupted. In far too many cases the implementation of business continuity and security technology is seen as the beginning and the end of securing the infrastructure.
Indeed, how often do we need to hear reports of unpatched vulnerabilities, outdated firewall configurations, and still more security holes that have allowed hackers, fraudsters, viruses and worms to cause costly damage before we wake up to the fact that technology in isolation is not enough?
Standards, such as the U.K.'s BS7799, which has become a de facto international standard (Part I is ISO17799), play a key role in raising awareness of security issues throughout the organization and help to foster a culture of vigilance. Not only do they encourage the use of technology to address key information security issues, but crucially, standards dictate that all technology must be backed by policies and procedures that are adhered to and enforced across the organization.
Under BS7799, information security becomes part of each employee's job description, increasing vigilance and reducing the threat to which a business exposes itself on a daily basis. In a nutshell, it encourages security across all departments and at all levels.
Business protection
BS7799 is one of the most wide-ranging and effective means of preventing security breaches from occurring. The real strength of the standard is that it generates an environment of continual improvement and sets in motion the policies and procedures by which businesses enter a cycle of continuous self-assessment. Yes, it is important to have the technology in place to protect a business, but updating and monitoring this technology and backing it up with increased awareness and education are crucial components of a good information security strategy, as well as components of BS7799.
The insurance industry has the opportunity to act as a catalyst for change in both awareness and uptake of BS7799 by encouraging businesses to gain certification. Insurers benefit from knowing that their client base is, and will continue to be, a low risk. This, in turn, will enable the insurance companies to achieve a lower volume of claims relating to information security breaches. BS7799 can act as an industry standard of which independent verification can be obtained at any time, and which provides actuaries with a greater insight as to the nature of the risk that they are assessing.
The pay-off from the client's perspective is that they can benefit from the reduced premiums that can be afforded by the increasingly lower risk value across the business community. In short, the insurance industry can help to shift the perception of security standards from a 'nice to have,' to a rational business proposition.
Cliff May is principal consultant with Integralis in the U.K. (www.integralis.com).
