Can 'cyberinsurance' protect you from data breach catastrophe?

Computerworld - Laptops are walking away. Hackers are breaking in. Tapes are missing in transit. Any of these developments could lead to a data breach, which, combined with state disclosure laws, could trigger crushing expenses.

A cyberinsurance policy could cover such losses, but they may be expensive, complex and somewhat difficult to acquire -- and it may even be more difficult to determine if they are truly worthwhile.

Cyberinsurance policies emerged about a decade ago with the realization that conventional insurance covered physical damage, but not lost data. Responding to the latest headlines, today's policies focus on the losses associated with a data breach. Such losses usually include the expense of notifying the victims, offering them credit monitoring and other "crisis management" expenses, explained Larry Harb, president of IT Risk Managers, an insurance broker in Okemos, Mich. Defense against the resulting lawsuits and government regulatory action is typically covered.

But while coverage has evolved, prices have remained high, even though there are now about 20 different carriers in the market. Harb recalled presenting a dental association with a privacy policy that offered coverage of $1 million for a yearly premium of $1 per stored name. An established dentist might have 4,000 patient files, for a premium of $4,000. "That was more than all their other insurance put together, including their general property and liability, so they didn't go for it," Harb said.

"A bank will pay more than a pizza shop, but coverage generally runs from $7,500 to $12,000 per million dollars of coverage," said Nick Economidis, vice president at the National Union Fire Insurance Co., an AIG subsidiary in Pittsburgh.

Policies covering network risks could be expected to cost $10,000 to $20,000 per $1 million in coverage, said Kevin Kalinich, a director at the AON Corp. in Chicago, described as the world's largest insurance broker. But the addition of professional services "errors and omissions" coverage will double the cost, he added.

But the variability of cyberpolicies and coverage is apparently as off-putting as the prices. Sharon Nelson, president of Sensei Enterprises in Fairfax, Va., recalled contacting five different carriers about cyberinsurance. "Prices for identical coverage ranged from $16,000 to $70,000 per year. I got the impression that cyberinsurance is a mysterious world, dimly understood by all its participants.

"There are also issues about what is covered," Nelson added. "If you have a blog that offers advice, you might not be able to get coverage. Insiders cause 70% of data breaches, but a lot of policies only cover the direct damage caused by an insider, not the third-party damage."