Cybercrime insurance growing
Source: The Arisona Republic
By Russ Wiles
Date: September 15, 2003
Almost every week brings a new revelation of a computer breach somewhere in the business world.
Viruses on the loose.
Networks spilling confidential data.
Companies spend billions of dollars erecting firewalls, buying anti-virus software and taking other defensive measures, but sometimes those safeguards aren't enough.
For firms that still feel vulnerable, cyberinsurance provides another layer of protection.
Cyberinsurance or e-commerce insurance covers a laundry list of high-tech dangers, from lost income if a hacker interrupts your business to the costs of recovering data destroyed by a virus or malicious code.
The policies also focus on legal liabilities in case an attack on your computer system causes problems to innocent third parties, such as a breach of privacy because of data theft.
In addition, the policies cover things like public relations expenses to restore confidence and even payments that may be needed to settle a threat from extortionists.
"Virtually, all major businesses today rely on computer networks to function," said John Spagnuolo, a spokesman for the Insurance Information Institute in New York.
"But they need to recognize that network security risks are fundamentally different from traditional physical risks like fire."
Insurers won't name specific clients because of privacy agreements, but they say customers include firms in financial services, travel and tourism (including airlines), health care and retailing.
Also, many manufacturers have policies since computers control so much of the production process.
The business community's awareness of cyberinsurance does not seem high. Only 7 percent of business respondents in an Ernst & Young survey said they knew for sure that their firms have specific insurance coverage for cyberrisks.
Many executives assume incorrectly that standard business policies include computer-related dangers. But as rule, they must buy specialized coverage from one of a dozen or so carriers.
"Traditional insurance carriers have looked at some of these loss scenarios and said, 'Gee, that's not what we bargained for,' " said Jon Farber, vice president of global technology underwriting at St. Paul Cos., an insurer in St. Paul, Minn.
Underwriting the policies "involves an understanding of technology and some very different and unusual risks," said Emily Freeman, Western region vice president at AIG eBusiness Risk Solutions in San Francisco.
Besides St. Paul Cos. and AIG, cyberinsurers include CNA, Chubb, Marsh, Lloyds and Zurich North America.
Acceptance has been modest, with total annual premiums in the $100 million range. But insurers say demand is growing as businesses learn about the coverage.
Cyberinsurance dates to the late 1990s, when worries about the potential dangers from Y2K elevated computer risks to the front burner, Spagnuolo said.
Such policies are not sold to individuals, but consumers can purchase a somewhat related product, identity-theft coverage, that reimburses them for the costs to repair credit reports and correct compromised accounts.
Cyberinsurance has been targeted to mid- and large-size companies that can afford the coverage, Farber said.
Annual premiums start around $10,000, he said, and can go much higher.
Also, larger companies generally are better able to satisfy insurer demands that they have adequate safeguards in place.
Before a policy is sold, carriers will assess an applicant's cyberprotections.
AIG, for example, asks about such things as a firm's technology budget, security infrastructure, virus-protection programs, testing procedures and outsourcing.
Technology and dot.com companies were the early buyers of cyberinsurance, presumably because they knew the security limits of the products they built.
Since then, the customer base has broadened.
The potential customer list extends to virtually any company with a computer network, databases, a Web address and the like. Which means just about everyone is a candidate.
But as noted, awareness remains low.
"It's a matter of intensive education involving insurance companies, brokers and their clients," Freeman said.
Original article ^macro[showdigestcomments;^uri;Cybercrime insurance growing]