Insuring your company against acts of cybercrime
A computer network security breach brings with it many costs — staff time to fix it; hardware, software and data damage; system downtime; and the most difficult to quantify — an injured reputation.
No one knows exactly how much these breaches cost U.S. businesses, but a good point from which to extrapolate is the annual Computer Crime and Security Survey conducted by the Computer Security Institute and the San Francisco FBI’s Computer Intrusion Squad. Of the 503 U.S. companies that responded in 2002, 80 percent acknowledged financial losses because of computer breaches. Forty-four percent were willing and/or able to quantify their financial losses, which totaled $455.8 million.
Given the high visibility of computer crime and the wide availability of basic network safeguards — firewalls, intrusion detection systems, virus detection software and others — most companies use them. But no security controls are fail-safe. If those measures fail, companies can be in for a huge financial hit.
SPONSORED CONTENT
Cyberinsurance — variously called network security insurance, e-business liability insurance, digital asset insurance and even hacker insurance and other descriptive terms — is a growing insurance line.
Doug Bollman, sales manager with Boulder-based Taggart & Associates Insurance Inc., sells plenty of errors and omissions policies, but has found interest in protecting network assets ?lukewarm.? Errors and omissions, also known as professional liability insurance, is malpractice insurance for technology service providers. It protects a company from claims if a client holds the provider responsible for programming errors, software performance or the failure of its work to perform as promised in its contract. ?Until someone has a hack, a lot of companies believe they have impenetrable systems, and they are doing everything to protect themselves,? Bollman said.
Bollman’s experience doesn’t surprise Larry Harb. Harb’s company, IT Risk Managers Inc., is an Okemos, Mich.-based wholesaler of Internet and technology insurance. ?I represent a number of different insurance carriers, and I work with insurance agents,? Harb said. ?Most agents don’t get it or understand it. When they have a client ask for technology insurance, rather than say ?huh?’ they call me.?
IT Risk Managers educates agents on technology risks. Since Sept. 11, 2001, businesses have been more aware of the potential liability of ?assets sitting out on their servers,? Harb said, but insurance agents haven’t kept up. ?New coverage like technology insurance or network insurance has been slow moving from the agents’ perspective, but very much needed from the insured’s perspective.?
According to Harb about a dozen insurance carriers have cyberinsurance policies. Lloyd’s of London led the charge in 1998 when it spun off Safeonline LLC. Safeonline provides digital risk insurance products that are underwritten by Lloyd’s. Since then, other major insurance players including Chubb Group of Insurance Companies, AIG American International Group Inc., The Hartford Financial Services Group Inc., St. Paul Companies, Zurich Financial Services Group and others have developed cyberinsurance products.
Harb said it’s difficult to compare apples to apples among the carriers’ policies. But most offer both first- and third-party coverage.
First-party coverage, also known as business interruption insurance, protects a company when an internal (committed by a disgruntled employee, for example) or external (committed by a hacker or terrorist, for example) network security breach results in business interruption, property damage, damage or loss to electronic data, the need to enforce of intellectual property rights, added costs of investigation, restoration, marketing and public relations, extortion and fraud.
Third-party coverage protects a company when an outside entity files a claim. Third-party complaints can include defamation, infringement of right to privacy or breach of confidence through unauthorized collection or misuse or loss of data, infringement of intellectual property rights, transmission of a virus, denial of service, credit card injury and loss caused by breach of security.
Harb said while the average for third-party coverage ranges between $17,000 and $20,000, the average for first-party coverage is closer to $30,000. First party is more expensive because, ?We’re insuring so much more,? he said. ?What we’re insuring against is no longer you getting sued by an outsider. We’re now putting you back financially whole.?
The cost of either type of coverage also will vary depending on type and size of business, maximum liability, deductible and how much risk the insured is willing to assume.
Harry Croydon, chief executive of Safeonline, said his company’s primary customers are small- and medium-sized businesses between 10 and 200 employees. Headquartered in London with an office in Mason, Mich., Safeonline has products that run from $800 upward.
Its SafeData product, for example is a first-party contract that covers against the costs incurred in retrieving, restoring or re-entering electronic information held on computer systems and Web sites. The lowest limit available on this policy is $20,000, and the deductible is $100.
SafeBusiness is SafeData with a third-party component that adds a limit of between $250,000 and $1 million for third-party claims and has a $250 deductible on third-party claims.
The company’s SafeEnterprise product adds errors and omissions coverage and can provide a limit up to $10 million.
In addition to these off-the-shelf products, Safeonline can write customized policies, Croydon said. The company’s average sale is between $2,000 and $8,000.
New York City-based insurance giant AIG offers cyberinsurance through its AIG eBusiness Risk Solutions subsidiary. Chief Operating Officer Ty Sagalow differentiates AIG eBusiness Risk Solutions in a number of ways. The company offers a higher limit — $25 million — than other carriers. The company provides prospective clients a free on-site security assessment conducted by an unaffiliated security firm whether or not the prospect actually purchases a policy. And the company offers a number of unique products that cover cyberterrorism, cyberextortion and identity theft.
AIG eBusiness Risk Solutions’ policies range from ?less than $1,000 up to well into the six figures,? Sagalow said.
Although Sagalow naturally would like those seeking cyberinsurance to buy his products, he feels he has a greater mission — delivering the message that, ?Today, every business is an e-business.
?Every business now is dependent upon a working network,? Sagalow said. ?Every business needs to ask themselves, ?What would be my financial loss if my network went down? What if someone destroyed the data on my network or stole confidential information?’?Contact Caron Schwartz Ellis at (303) 440-4950 or e-mail csellis@bcbr.com.
A computer network security breach brings with it many costs — staff time to fix it; hardware, software and data damage; system downtime; and the most difficult to quantify — an injured reputation.
No one knows exactly how much these breaches cost U.S. businesses, but a good point from which to extrapolate is the annual Computer Crime and Security Survey conducted by the Computer Security Institute and the San Francisco FBI’s Computer Intrusion Squad. Of the 503 U.S. companies that responded in 2002, 80 percent acknowledged financial losses because of computer breaches. Forty-four percent were willing and/or able to quantify…
THIS ARTICLE IS FOR SUBSCRIBERS ONLY
Continue reading for less than $3 per week!
Get a month of award-winning local business news, trends and insights
Access award-winning content today!
