A business's most valuable asset isn't necessarily tangible. Perhaps it isn't a warehouse full of furniture, but a database of names, a directory of source code, an always-on Internet connection, or something equally ethereal. The owner of such a business might be surprised to find that none of these vital assets are covered by his or her insurance policy.
Traditional insurance products cover physical loss of tangible property. If a Web server is stolen or destroyed in a fire, the insurance company will pay to replace it. But all too often, the information stored on that server is worth much more than the hardware itself. But information isn't a tangible property, and regular insurance products aren't designed to cover that type of loss. For that, you need data insurance.
Data insurance, hacker insurance, or network security insuranceby any name, this type of coverage is a recent addition to insurance companies' offerings, and is relatively unknown among business owners. The idea is to protect the assets that are most valuable to e-businesses, such as electronic data and network connectivity.
We've all seen reports of stolen credit card databases in the news. These high-profile security breaches may be few and far between, but Internet security is a wide-scale problem for online businesses. And in the big picture, a stolen credit card file barely registers on the spectrum of bad stuff that can happen.
More than 52,000 Internet security incidentsin excess of 140 a daywere reported to the Computer Emergency Response Team Coordination Center (CERT/CC) in 2001, up from 21,000 in 2000. Those numbers are just a drop in the bucket. Most computer crimes aren't reported, and many more go undetected. When you consider that most hacking attempts are made by insiders, like disgruntled employees, the need for companies to prepare for risk becomes quite evident.
Although the data insurance sector is new, it's gaining popularity as companies learn the real risks of doing business on the Internet. Network security insurance is the fastest growing product in the history of insurance giant American International Group (AIG), according to Ty Sagalow, executive vice president and COO of AIG's eBusiness Risk Solutions. Bruce Schneier, CTO at Counterpane Internet Security, believes that sooner or later, it will be unthinkable not to have an anti-hacking policy.
But for the moment, choosing a policyor even finding an insurance company that understands what it means to insure datacan be a challenge. "Insurance products that deal with data insurance are emerging slowly," says Jack L. Strauss, president and CEO of SafeCorp, an information security consultancy. "There are few examples of standard products, and as such, their content from policy product to policy product varies greatly. Those that are offered in some standard fashion are over-constrained and ridiculously expensive. Also, the insurance industry as a whole moves at a glacial pace, even when they understand the target domain. And they don't get this space, as a group."
Counterpane's Schneier agrees. "There's more talk about this than actual policies being written." The market leader, AIG, claims 75 percent of the market. It has about 1,500 clients for its data insurance products, which have been available for two years.
How does a company determine whether it needs data insurance? "If, as a business, you don't use the Internet in any of your business operationsyou don't have a Web site, you don't email outside the company, your computer room isn't connected to the outside worldthen you don't need this insurance," Sagalow says. "But once you start using the Internet as part of your business strategy, the issue is not whether you need to buy this insurance for that risk, but rather, how much and what."
Shoppers will find many types of coverage under the broad umbrella of data insurance. When a business is connected to the Internet, the possibilities for damage go far beyond the "cracker breaks into your server and steals something of value" scenario that has been so often publicized by the evening news. The major areas that a data insurance policy may cover include:
An insurer should let you pick and choose the types of coverage that your business needs. "If you don't have revenue associated with your site, you don't need business interruption service. If you don't have data that you're concerned about being corrupted, then you don't need damage insurance," Sagalow says.
The most common claims at AIG, according to Sagalow, are related to Web content liability, professional liability, and security. Part of this is because of the policy choices themselves. For instance, every one of AIG's offerings includes Web content liability coverage.
Currently, data insurance mostly covers medium and large-size businesses. "What you're not likely to see for the next three years, at least, is a set of scalable insurance products that small to medium-size businesses will be able to understand and afford," SafeCorp's Strauss says.
The process of acquiring data insurance isn't that different from obtaining health insurance: Fill out some forms, then let a doctor check you out. The first step is to complete an insurance application, which includes questions about the technology products and services you use, and the people who manage the risks that you want to cover.
The second step is often an online security assessment, during which the CTO answers more detailed questions about the company's networking policies and procedures. Those two documents go to the underwriter, who may offer a quote. The insurance company might ask for an on-site security audit, which means that experts will interview employees and even attempt basic network intrusion techniques.
What will it cost to insure your data? That depends on many variables, including the type of insurance you choose, the amount of liability you have, the size of your company, and the security procedures your company has in place. "It would be fair to say that I have clients that spend as little as a few thousand dollars a year, and I have clients that spend hundreds of thousands a year," Sagalow says.
Determining the value of the data you want insured may not be easy. A single database or secret recipe may be the heart of your business, and estimating the worth of that intangible asset is a problem that can give CFOs nightmares.
"Until the insurance customersenterprises, businesses, infrastructure suppliers, etceteracan do a much better job of quantifying the value of stuff, for real, then we don't deserve better from the insurance guys," Strauss says.
You can likely get a discount on insurance premiums depending on the technologies you use. For instance, AIG gives discounts to businesses that use the eTrust software suite from Computer Associates, RSA SecurID to factor authentication, and the security assessment services of Unisys or Internet Security Systems.
"Eventually, the insurance industry will subsume the computer security industry," Schneier says. "The kind of firewall you usealong with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you usewill be strongly influenced by the constraints of insurance. What will happen when the CFO realizes he can cut his insurance premium in half if he gets rid of all his insecure Windows OSs and replaces them with a hardened version of Linux? The choice of which OS to use will no longer be 100 percent technical."
Practices regarding the confidentiality of customer information are largely unregulated in the United States, at least at the federal level. There are exceptions, however, that are usually aimed at specific industries. For instance, the Gramm-Leach-Bliley Act focuses on privacy rules for financial institutions, the 1996 Health Insurance Portability and Accountability Act affects the medical industry, and the Children's Online Privacy Protection Act aims to protect children's privacy. Many states add their own privacy laws to the mix.
When choosing an insurer, look for one that has a specialized e-business unit and underwriters who understand the technical issues involved in data loss and Internet security. Look for a company with global reach. Sagalow suggests looking for carriers with a high capacitythe maximum amount of liability they will put out on any account. "The capacity gives you a hint of the confidence they have in their underwriting. If you ever want to go beyond that limit, you have to go somewhere else."
You can have the strongest firewall, the best IT team, and a crack network administrator, but none of these can guarantee that your network will always be secure and your critical files will remain intact. Despite your best efforts, a bored "script kiddie" could delete your product's source code, or a clumsy backhoe operator could inadvertently cut a fiber-optic line, bringing your business to a halt.
"Security is a process, not an event. It's not like fire, where you put in a sprinkler system and smoke detectors, and you're done. Your network is constantly in flux with new services, new employees, new operating systems and applications," says Scott Charney, principal at PricewaterhouseCoopers's cyber crime prevention and response group.
"Protect your crown jewels," he says. "Identify what you're trying to protect and the value of what you're trying to protect. This is risk mitigation, not risk elimination. You can't get down to zero risk. An e-policy will help you deal with the risk you cannot eliminate."
Schneier reminds clients that insurance is a risk management tool. "It turns a variable cost into a fixed cost," he says. "Businesses always like predictability, so insurance is a no brainer."
Major providers of data insurance include:
American International Group
The Hartford Financial Services Group
The St. Paul Companies