IT leaders are particularly likely to get confused, because tech
execs have not traditionally made decisions about corporate
insurance. Likewise, the risk management and legal teams that
typically do make insurance decisions have not customarily
sought out their IT counterparts for advice.
Yet, I T’s input is crucial when it comes to deciding whether to
purchase cyberinsurance and determining what coverage to buy,
security experts say.
“The I T people and the risk people desperately need to get together to talk about risk in terms of information technology and the
likelihood and outcomes of a breach,” says Don Fergus, an IT risk
consultant and 2012 chairman of the I T Security Council for the
security professionals organization ASIS International.
at a company before they write any policy, and they might
even require a third-party audit to verify what’s in place, says
Mark Lobel, a principal and security benchmarking expert at
PricewaterhouseCoopers. Therefore, companies must ensure
they follow the best information security practices for their
industries, he says.
IT leaders should then determine potential threats, the likelihood that they will occur, and how such threats will impact the
organization if they do happen.“You can’t insure [correctly] if you
don’t understand the risks,” Lobel explains.
Not all companies — or all IT departments — are comfortable
with this level of self-scrutiny, points out ASIS International’s Fergus.
“There is a head-in-the-sand kind of view,” he says. “IT people may
know they’re vulnerable, but they don’t want to write it down.”
What’s Covered, What’s Not
Some companies purchase standard insurance policies and think
they’re fully protected, not realizing that the policy might cover
physical property but not intangibles. For example, a
property insurance policy would cover the cost of a
server smashed up by a disgruntled employee, but it wouldn’t cover the company’s
liability for failing to perform a service for
a client as a result of the server downtime.
Liability insurance generally offers protection from lawsuits or claims, but Fergus
points out that general liability, errors and
omissions, and directors and officers liability insurance policies will not cover claims
arising from electronic data loss or lack of
access to that data.
Ken Goldstein, vice president of Chubb
Group of Insurance Cos. in Warren, N.J.,
explains that cyberinsurance falls into
two general buckets. The first bucket
covers costs associated with third-party
liabilities — that is, claims from other
organizations. And the second covers
first-party expenses and losses — that
is, damage to your own organization.
Additionally, policies are available that cover other costs, such as
third-party notification and PR expenses.
Of course, companies can purchase policies to address both
first and third parties, so they’re covered for a range of scenarios — from the cost of notifying customers whose data was
breached, to the cost of hiring a forensic IT team, to even the cost
of extortion and ransom demands, Goldstein says.
Even companies that have done their due diligence can be in for a
jolt, Fergus says. “They go out to the [insurance]
carriers, and they get sticker shock.” That’s because
cyberliability insurance can cost $7,000
to $40,000 per million dollars of loss. And
with losses possibly totaling in the tens —
or even hundreds — of millions, a policy
that covers such costs can carry a stagger-
ing price tag.
Deciding how much coverage to buy
can be tricky. Too little, and you don’t
cover your exposure. Too much, and you
face the prospect of sky-high premiums. In Towers Watson’s 2011 Risk and
Finance Manager Survey, 61% of the responding companies that were carrying
network liability policies said that they
had bought $10 million to $49.9 million
in coverage limits; only 8% had purchased policies with $50 million or more
in coverage limits.
Some companies take a look at the cost
of coverage and balk. Others worry about
payouts, particularly in light of a few high-profile cases in which
the insurer and the organization filing a claim wound up in
court. Sony and the University of Utah were among the organiza-
tions involved in such cases.
Hord Tipton, executive director of the nonprofit International
Information Systems Security Certification Consortium, says his
organization doesn’t carry cyberinsurance. Companies that do,
he contends, may become lax. “A company should not let complacency set in just because they are insured,” he warns.
More important, Tipton maintains, insurance couldn’t help
his organization recover the most valuable asset it could lose in a
breach: its reputation.
Chubb’s Goldstein counters that logic, saying companies might
find that they can survive the hit to their reputation only to
realize that the costs of repairing other damage will do them in.
As he points out, “You’d hate to assume you’d be out of business
because of reputational damage, only to find what sunk you
wasn’t the reputation but the cost of the liability.” u
Pratt is a Computerworld contributing writer in Waltham, Mass.
Contact her at email@example.com.
The IT people and the
risk people desperately
need to get together
to talk about risk in
terms of information
technology and the
likelihood and outcomes
of a breach occurring.
DON FERGUS, IT RISK CONSULTANT
IT Pros as Insurance Experts?
Companies considering a policy need to determine exactly what
coverage they need and whether it makes sense to pay the premiums associated with that coverage, says Eric J. Sinrod, a San
Francisco-based partner at national law firm Duane Morris.
That’s where IT comes in. An organization’s risk management and
legal folks understand the language of insurance riders and exclusions, but no one is better equipped to understand and articulate an
organization’s information security system than the people who run
it. “The CIO is on the front lines in dealing with information systems
and should know about actual and potential problems,” says Sinrod.