Do You Need a Cyberumbrella?
If your company were hit with a cyberattack today, would it be able to foot the bill? The entire bill, including costs from regulatory fines, potential lawsuits, damage to your organizations' brand, and hardware and software repair, recovery and protection?
It's a question worth careful consideration, given that the price of cyberattacks is rising at an alarming rate. The second annual Cost of Cyber Crime study, released last August by the Ponemon Institute, reported that the median annualized cost of cybercrime for a company is $5.9 million -- a 56% increase from the 2010 median figure.
A growing number of insurance companies are offering policies that provide protection in the event of data breaches and other malicious hacks. But they're having some difficulty making many sales -- in part because the cost of premiums can be staggering.
Lawyers and information security leaders say many executives mistakenly believe that standard corporate insurance policies or general liability policies cover losses related to hacking, or that their cyberpolicies, if they have them, will cover all costs related to a breach. Most of the time, they won't.
A February 2011 paper by Forrester Research analyst Khalid Kark indicates that many companies are still trying to understand the basics of these policies, which are offered by such carriers as ACE USA, Chubb, The Hartford and St. Paul Travelers Cos. The most common questions revolve around what types of polices are out there, what they cover, how to select the right policy and whether such insurance is even needed.
IT leaders are particularly likely to get confused, because tech execs have not traditionally made decisions about corporate insurance. Likewise, the risk management and legal teams that typically do make insurance decisions have not customarily sought out their IT counterparts for advice.
Yet, IT's input is crucial when it comes to deciding whether to purchase cyberinsurance and determining what coverage to buy, security experts say.
"The IT people and the risk people desperately need to get together to talk about risk in terms of information technology and the likelihood and outcomes of a breach," says Don Fergus, an IT risk consultant and 2012 chairman of the IT Security Council for the security professionals organization ASIS International.
What's Covered, What's Not
Some companies purchase standard insurance policies and think they're fully protected, not realizing that the policy might cover physical property but not intangibles. For example, a property insurance policy would cover the cost of a server smashed up by a disgruntled employee, but it wouldn't cover the company's liability for failing to perform a service for a client as a result of the server downtime.
Liability insurance generally offers protection from lawsuits or claims, but Fergus points out that general liability, errors and omissions, and directors and officers liability insurance policies will not cover claims arising from electronic data loss or lack of access to that data.
Ken Goldstein, vice president of Chubb Group of Insurance Cos. in Warren, N.J., explains that cyberinsurance falls into two general buckets. The first bucket covers costs associated with third-party liabilities -- that is, claims from other organizations. And the second covers first-party expenses and losses -- that is, damage to your own organization. Additionally, policies are available that cover other costs, such as third-party notification and PR expenses.
Of course, companies can purchase policies to address both first and third parties, so they're covered for a range of scenarios -- from the cost of notifying customers whose data was breached, to the cost of hiring a forensic IT team, to even the cost of extortion and ransom demands, Goldstein says.
IT Pros as Insurance Experts?
Companies considering a policy need to determine exactly what coverage they need and whether it makes sense to pay the premiums associated with that coverage, says Eric J. Sinrod, a San Francisco-based partner at national law firm Duane Morris.
That's where IT comes in. An organization's risk management and legal folks understand the language of insurance riders and exclusions, but no one is better equipped to understand and articulate an organization's information security system than the people who run it. "The CIO is on the front lines in dealing with information systems and should know about actual and potential problems," says Sinrod.
Insurance companies will want to know what security exists at a company before they write any policy, and they might even require a third-party audit to verify what's in place, says Mark Lobel, a principal and security benchmarking expert at PricewaterhouseCoopers. Therefore, companies must ensure they follow the best information security practices for their industries, he says.
IT leaders should then determine potential threats, the likelihood that they will occur, and how such threats will impact the organization if they do happen."You can't insure [correctly] if you don't understand the risks," Lobel explains.
Not all companies -- or all IT departments -- are comfortable with this level of self-scrutiny, points out ASIS International's Fergus. "There is a head-in-the-sand kind of view," he says. "IT people may know they're vulnerable, but they don't want to write it down."
Even companies that have done their due diligence can be in for a jolt, Fergus says. "They go out to the [insurance] carriers, and they get sticker shock." That's because cyberliability insurance can cost $7,000 to $40,000 per million dollars of loss. And with losses possibly totaling in the tens -- or even hundreds -- of millions, a policy that covers such costs can carry a staggering price tag.
Deciding how much coverage to buy can be tricky. Too little, and you don't cover your exposure. Too much, and you face the prospect of sky-high premiums. In Towers Watson's 2011 Risk and Finance Manager Survey, 61% of the responding companies that were carrying network liability policies said that they had bought $10 million to $49.9 million in coverage limits; only 8% had purchased policies with $50 million or more in coverage limits.
Some companies take a look at the cost of coverage and balk. Others worry about payouts, particularly in light of a few high-profile cases in which the insurer and the organization filing a claim wound up in court. Sony and the University of Utah were among the organizations involved in such cases.
Hord Tipton, executive director of the nonprofit International Information Systems Security Certification Consortium, says his organization doesn't carry cyberinsurance. Companies that do, he contends, may become lax. "A company should not let complacency set in just because they are insured," he warns.
More important, Tipton maintains, insurance couldn't help his organization recover the most valuable asset it could lose in a breach: its reputation.
Chubb's Goldstein counters that logic, saying companies might find that they can survive the hit to their reputation only to realize that the costs of repairing other damage will do them in. As he points out, "You'd hate to assume you'd be out of business because of reputational damage, only to find what sunk you wasn't the reputation but the cost of the liability."