Cyber-insurance policies are becoming more popular, but does your company actually need one? CIO Insight Reporter Debra D'Agostino spoke to Gartner Research analyst Vincent Oliva to find out what CIOs should keep in mind when considering such policies. An edited transcript of Oliva's remarks follows.
CIO Insight: Where did cyber-insurance originate?
Oliva: It started with Y2K back in the late 1990s. As cyber-risks became more prevalent and companies got more involved in e-business, the insurance industry looked at this and said that normal corporate policies didn't cover cyber-risks, they were really more for physical types of risk and exposures. Insurance companies had not considered in their underwriting and in their pricing of insurance the whole issue of cyber-terrorism, cyber-risk and hacking. So what the insurance companies did, and historically have done on similar issues, was start to put exclusions on their existing policies for losses that would evolve out of cyber-risk. Then they started to examine cyber-risk and develop actual insurance products that they could go out to the market and sell. So the first cyber-insurance policies hit the market in early 2000. The adoption rates today are roughly about $100 million in insurance premiums that have been sold in the market for cyber insurance since 2000. The earliest adopters of cyber-insurance have been the businesses that are really heavily relying on e-business. The financial services industry has really led the pack on this.
Why are these policies gaining popularity now?
Cyber-viruses and hackers are becoming more of an issue. Sept. 11 actually, from the entire security point of view, raised the awareness of it, so I think if anything, Sept. 11 was a catalyst to increase the awareness and the adoption of cyber-insurance purchases.
How do companies go about getting cyber-insurance?
Insurance is a lot like credit. The companies that really need it find it tough to get, and the companies that don't need it as much can get it pretty easily. In order to buy cyber-insurance, a security audit is really part of the underwriting process. If a company is looking into buying a certain type of insurance, it is going to find out that its security house really has to be in order or it is not going to be able to buy cyber-insurance.
What does the security audit entail?
Mostly it's looking at a company's entire security strategy. That means everything from simple password policies and firewalls all the way to organizational and human resources issues. Does a company have a large enough security staff? There are a lot of holes, for instance, and an awful lot of software out there that requires patching on a regular basis. One of the things insurance companies look for when they evaluate the risk for cyber-insurance is if a company has a sufficient enough security staff to be able to apply all of the patches it needs to the software it's using to keep it secure. Being cyber-insurance worthy really is a matter of not only having the technology in place to be a secure environment via firewalls and things like that, but also having the human resources in place, and the systems in place and the procedures in place, to be secure.
So to feel adequately prepared for an audit, are there specific things CIOs and CISOs need to do?
Normally, an IT organization needs to create a security arm of its IT operations that concentrates on nothing but making the IT environment secure. Organizations also need to do what I call pre-audits. When you apply for cyber-insurance, most insurance companies will require a security audit, and most insurance companies do not do that audit themselves. They usually outsource that to a security firm. I recommend that companies go through an auditing process itself, perhaps bring in a security auditing firm to do an audit on your IT security operations first. That way, when you go to buy the insurance, your company is going to be more prepared to qualify. Companies that do pre-audits will have a better chance for success at actually getting the insurance, and their premiums will probably be lower if they can prove through a pre-audit that they have the proper security in place on their IT operations and e-business operations.
How long does a security audit take?
Normally, obtaining cyber-insurance is a 60- to 90-day process, from the time the application is filled out, the security audit is completed and the underwriting is done, to the point when the actual proposal is delivered to the client by the insurance company.
And insurance companies use the results of the security audit to determine the premium?
Figuring out the premiums for something like cyber-insurance, a new product, is difficult. Normally, the way underwriters figure out premiums is largely by actuarial means-using past loss experiences to determine future losses. A lot of their premium determination is centered around the prediction of what future loses will be. On a new product like this, however, that's difficult to do. Insurers and companies don't have a lot of experience yet, so they're using sort of more art than science in developing the premiums. They take into consideration not only the size of the company but the dependence upon e-business or the types of uses the applicant has for the Internet and so forth. They look at the applicant's visibility on the Internet: Are they more susceptible to being hacked than another industry might be? They also look at the overall controls that a company has, their audit and security functions. There is really at this point no real magic formula when it comes to setting premiums, an awful lot of it is still judgmental. The premiums for cyber-insurance can range from $5,000 for a very small firm to over a million for a very large firm.
What does the adoption rate look like? How quickly will companies begin buying cyber-insurance?
In terms of figures, all we have right now is that $100 million figure, which is pretty small when you look at the insurance industry overall being a multi-trillion dollar industry. Some sources are predicting that the premiums will reach the $2.5 billion mark by 2005. Personally I think that's a little aggressive. It will probably be more in the billion-dollar range by 2005. I would say it is going to take at least until then before we see what we would call general adoption of cyber-insurance, and I say that for a specific reason. Most companies are examining cyber-insurance today, looking into it to see what it's all about , and many companies are hesitant to buy it right now because it's a largely untested product. One of the things that makes an insurance product successful over time is the loss experience and the case law that's developed. Not every loss is clearly covered by insurance, and the real usability of insurance coverage is the insurer's ability to pay.
This product is largely untested, so I think right now that if a company buys cyber-insurance and they have a claim that is clearly covered by the policy, it will probably be paid. If it's not, they will probably end up in arbitration or in court trying to get that out of the insurance company. Basically, my advice to a company considering this would be to be careful. Examine the cyber-insurance market and be very careful about what policies do and do not cover, and make a wise purchasing decision based on the coverage being provided and how that relates to the company's risks. The existence of insurance is not an excuse for poor risk management. Companies can't make the risks go away by buying insurance.