Wednesday, January 12, 2011

Cyber Insurance – Is it Worth It?

Several of my blog readers have asked about Cyber Insurance.   I asked a trusted expert on this topic, Michael R. Overly,  Esq., CISA, CISSP, CIPP, ISSMP from Foley & Lardner LLP to write a guest post:

Insurance exists to cover a wide range of potential business risks. Cyber insurance is worth considering as companies increase their presence, business practices and data storage online. In fact, Cyber insurance is not just for companies conducting transactions online (e.g., online retailers).  It is valuable to any company who has critical systems or sensitive data, which is almost every business. While it is possible to have insurance that covers damage to your servers and other computer equipment, it is almost certain the insurance only covers the physical damage to the hardware, itself, and not the valuable data housed within. In fact, insurance policies regularly state that the policy is limited to the replacement costs of the hardware and not the data.  This means that in the event a hacker gains access to your systems and disrupts operations, standard insurance coverage will probably offer little or no protection unless hardware is actually damaged.

The costs associated with restoring lost or damaged data, sending breach notifications to consumers, and other potential liability under each state’s breach notification statues can be astronomical. Cyber insurance can help cover some of the costs of a data breach, including the expense of sending notification to affected individuals, public relations, fines, penalties, responding to regulators and any subsequent litigation by affected individuals. The potential for attacks and breaches is growing exponentially as more and more businesses move operations to the cloud. Moreover, attacks do not necessarily derive from an outsider. Data breaches have resulted from careless, frustrated and vengeful employees who often attempt to profit from someone else’s information. Depending on the policy, Cyber insurance can offer protection from hackers, viruses, data breaches, denial of service attacks, and copyright, trademark, and website content infringement.

Although Cyber insurance provides beneficial protections for the policy holder, it is not without drawbacks and limitations. Most, if not all, Cyber insurance policies are capped at relatively low levels compared to the actual, potentially catastrophic, liability that can result from a breach. It is equally important to review the policy carefully for exclusions. If the policy denies indirect costs like reputational damage, the costs of repair in addition to the premium, could be burdensome to the policy holder.

Because Cyber insurance is a relatively new product with limited public acceptance, and there is ongoing change in the laws and regulations affecting breach notification on a state-by-state basis, the product, policies and premiums tend to differ greatly between providers. Additionally, many policy holders have found that in renewing their policies premiums have increased due to improper risk analyses, either of the insured or of the pool of insureds. Still, with the recent proliferation of data breach notification laws, the interest in Cyber insurance has risen providing some stability in pricing. Even before a policy is quoted, most, if not all insurers require applicants to fill out extensive questionnaires on detailing their information technology and security practices. Many policies specify on-site assessments and audits of the insured’s systems and policies, which for larger companies with multiple locations could run into the hundreds of thousands of dollars. In addition, as part of the assessment, the insured company would have to disclose its security procedures and vulnerabilities to a third party for a risk assessment review.

1 comment:

John Moccia said...

Interesting post. As a healthcare CIO you must be keenly aware of the HIPAA and general privacy concerns associated with the breach of a (supposedly) secure network. Our blog offers some additional background on Cyber Insurance. We are also about to launch a toolkit to help companies quantify and mitigate their cyber risk. Here is a direct link to the cyber insurance post: