No one expects to be hacked, of course. But companies can protect themselves — just in case the unthinkable happens.
"Cyberinsurance" is the moniker most often applied to policies that protect against losses from such security breaches. Traditional insurance companies, including American International Group, Lloyds of London and The St. Paul Companies, are now starting to offer protection for e-business.
"Five to 10 years from now, I think this will be a mainstream policy," said John Farber, St. Pauls senior underwriter for cyber-risk and cyberattacks. "People are worried about it, and they are realizing standard coverages do have gaps." In other words, your property insurance probably doesnt cover your virtual assets.
But cyberinsurance is fairly new, and companies are only beginning to understand the risks they face. Furthermore, it may be difficult for insurance companies to quantify exactly how much financial loss is possible due to security violations. But Ty R. Sagalow, chief operating officer of AIGs e-business risk solutions, said that doesnt matter in an emerging area such as cyberinsurance.
"Yes, its true theres not a lot of hard data, but if you wait for it, you missed the time when your clients really need you," Sagalow said. "They need you most when they can figure out the risk the least."
Prices for cyberinsurance policies start at $10,000 per year and can reach into the millions of dollars, depending on the size of the company, what types of threats it wishes to be protected from and how much needs to be insured. Also, some companies can be bigger targets than others for political reasons, and underwriters will factor that into the premium as well.
In some cases, there are no precedents in the offline world for cyberinsurance coverage. Viruses are a prime example. Several companies have filed lawsuits claiming that their e-mail was infected by another company that wasnt using proper antivirus protection, according to insurance executives, though none are known to have been successful yet.
Businesses are also being held liable when unauthorized intruders access customer data. "If youre someone using credit cards and you dont take due diligence to protect that data, you can be held legally liable. And that legal liability is being upheld by legislation," St. Pauls Farber said.
There are also situations that mirror those in the offline world, but take a more extreme form online, such as business interruption. If a brick-and-mortar store burns down, it would have protection for the amount of business that the store loses while its rebuilding. People who live in the area will revisit when the rebuilding is done. An e-merchant, though, may never get a return visit from a customer, so business interruption is much more extreme.
Before any policy is offered, AIGs Sagalow said, its important to complete a full risk assessment of the infrastructure. "Like any other insurance, its not there for irresponsible companies," he said. "Its not there for companies that dont take reasonable steps to secure their assets."