Insuring Security

By CIOinsight  |  Posted 08-08-2003

As companies increasingly do battle with hackers, viruses, data privacy leaks and theft and other cyber mishaps, insurers are developing cyber-insurance policies that protect firms across all industries—from financial services to retail to healthcare—against business interruption, data destruction, cyber extortion, cyber-terrorism and other threats to companies' IT systems.

Beginning in 2000, as cyber risks became more prevalent and companies got more involved in e-business, the insurance industry began to develop products that underwrite those risks. Still, only about $100 million in cyber insurance has been sold so far. Says Gartner Inc. research analyst Vincent Oliva: "That's pretty small when you look at the multitrillion dollar insurance industry."

But the market is projected to grow as information security threats to companies increase. The Insurance Information Institute estimates that cyber-insurance policies will generate premiums of $2.5 billion annually by 2005, though Oliva says it will more likely be around $1 billion. The reason? Cost. "For companies looking for cyber insurance now, the perception is that it is expensive," he says. While premiums for small businesses can cost as little as $1,000 for a basic policy, broad coverage for a major corporation can cost up to several million dollars annually, says Oliva. Such policies can include everything from network security to identity theft, cyber-extortion, cyber-terrorism and cyber-related business interruption and data damage.

And there's always the issue of getting what you pay for. Given the short history of cyber insurance, figuring out a fair premium that reflects not only a company's level of preparedness but also the likelihood of a successful attack is very difficult, says Oliva. "Normally, underwriters figure out premiums largely through actuarial means, using past loss experiences to determine future losses. On a new product like this, it's difficult to do that because they don't have a lot of experience yet. So they are using more art than science in developing the premiums—an awful lot of it is still judgmental." Among the criteria for setting premiums: the size of the company, its dependence on e-business and its visibility on the Internet. Internal controls, audit and security functions also matter.

Still, companies are wising up to the benefits of insuring their technology systems, says Ty Sagalow, COO of e-business risk solutions at AIG, one of the largest issuers of cyber-insurance policies. AIG's policy count, he says, has sharply increased since last year, and the company has issued thousands of policies during the past four years. At Chubb, the number of companies applying for insurance coverage has increased by 75 percent since last year. "Clearly," Sagalow says, "the notion that technology risk or cyber risk needs to be managed, and that you simply can't rely upon a new and improved firewall or other technology to solve all problems and risks of cyberspace, has caught on."

Are your company's risks great enough to warrant cyber insurance? Not all CIOs are convinced. "My experience has been that for large enterprises, the premium payouts are such that we are probably better off just spending the money to safeguard ourselves," says Bill Boni, vice president and CISO of Motorola. The premiums to insure his company would have cost several million, he adds.

Another issue that may deter CIOs is the risk assessment, an intensive audit of a company's IT security and procedures designed to help insurers determine its vulnerability. For companies that don't already have their security ducks in a row, it can be a long and painful process. "Insurance is a lot like credit," says Oliva. "Companies that really need it find it tough to get, and companies that don't need it so much can get it pretty easily."

Insurers admit the audit can be tricky. "It's an enormous effort," says Tracey Vispoli, worldwide financial fidelity manager in Chubb's department of financial institutions. "This is highly sensitive information, so the organization has to get sign-offs from senior-level people as to whether they are willing to undergo this kind of scrutiny."

The bottom line? "Be careful," says Oliva. "Not every loss is clearly covered by insurance, and the real usability of coverage is the insurance company's ability to pay. Be very careful about what policies do and do not cover, and make a wise purchasing decision based on the coverage being provided and how that relates to your company's risks."