Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

Premium Protection

Security breaches. Viruses. Should you amend your IT insurance plan to cover such risks?
Thomas Hoffman   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

March 31, 2003 (Computerworld) -- A small but growing number of companies are looking to buy insurance that would provide financial relief in the event of a data security breach caused by cyberattack or digital terrorism.


Let's say a hacker broke into your company's networks and accessed reams of sensitive customer account data. Would your company be covered under its general liability insurance? Probably not.


Three or four years ago, there were a lot more gray areas as to whether information security was covered under general corporate liability policies, says Emily Freeman, a security consultant at AIG eBusiness Risk Solutions in San Francisco, an American International Group Inc. (AIG) division.


Computer and data security "wasn't affirmatively covered, but it wasn't excluded either. But now, the drift is for exclusion," says Freeman. As a result, financial services companies, retailers, hotels, travel-related businesses and technology companies are showing strong interest in data security insurance.


Commercial insurers such as AIG, Zurich North America Insurance Co. and The Chubb Corp. are responding with customized cybersecurity policies based on individual companies' exposure to risk.


Better Policies


Initial security policies that were available a few years ago "had high fees, and they weren't selling well," says Scott Charney, chief security strategist at Microsoft Corp. But over the past few years, he says, insurers "have become more savvy in crafting e-policies," even though the amount of business they're booking "is still relatively small," he adds. AIG has 2,000 network security insurance customers and roughly 70% of the global market, Freeman claims.


But IT and business managers should be aware that potentially crippling worms and viruses like the recent Slammer virus typically aren't covered under these newer data security insurance policies.


Why not? Consider the following analogy: Companies can buy fire insurance for 20 buildings in one city because the chance of a fire sweeping through all of the facilities at the same time is pretty remote, says Alan Paller, director of the SANS Institute in Bethesda, Md., a research organization for security managers and systems administrators. "But the rules for viruses are completely different—they can affect everyone," he says. Therefore, insurers typically either won't provide general liability coverage against worms and viruses or will offer only extremely limited property coverage, says Freeman.


Outside of the financial services industry, where electronic transactions with customers are an integral business component and high levels of security are critical, few CIOs and chief security officers are aware of the need for cybersecurity insurance, and senior managers rarely seek their advice when they are considering the company's insurance needs. "We haven't done any work on this yet, but there's a slow groundswell among some companies to begin taking actions on these issues," says RA Vernon, vice president and CIO at Reuters America Inc., which provides information to Wall Street brokerages and the financial services industry.


Before obtaining cybersecurity insurance, companies should have a third party conduct a network security risk assessment to demonstrate compliance to insurers. [See "How to Do an IT Security Audit," QuickLink 35761.] The process includes following security compliance steps that are mapped out by the ISO 17799 standard, a set of controls that detail best practices in information security.


While the ISO standard is widely used, critics say it's too high-level and specifies security practices that are common sense. An example, says Paller: "Make sure your systems are safe." A revamped version of the standard is being written to address some of these shortcomings. "Like any tech-related field, [ISO 17799] is moving in a million different directions at a crazy pace," says Chris Mullins, director of policy and compliance products at Bindview Corp., a security software vendor in Houston.


Evaluation Guidelines


Mullins advises IT managers to follow the guidelines offered by the National Security Agency and the National Institute of Standards and Technology to evaluate their security compliance. These guidelines are also used by some companies to demonstrate their security readiness to would-be insurers, he says.


Insurance companies also look at other factors, such as the frequency of internal security audits, the transfer of internal auditors among business units and the clauses in contracts between companies and their customers and business partners that stipulate the security compliance obligations necessary to receive online access to data.


They also consider human resources policies, says Tracey Vispoli, a manager at Chubb, in Warren, N.J. These include examinations of how employees are trained on IT security practices, how often passwords are changed on laptops and whether organizations conduct criminal background checks of job applicants. "We're not so much concerned with the products [customers] are using to mitigate attacks as we are with the [employee and access] controls and policies they've put in place," she says.


Insurers also tend to consider how vulnerable a particular industry is to attack. For example, if a $15 million office supplies retailer with a limited online presence wanted to buy insurance, AIG's Freeman says she first would have it conduct a security self-assessment using AIG's Web-based auditing tool. But if the client was a bank, AIG would probably require a third-party audit or perform an audit itself, she says. "It depends on the amount of exposures they have and the amount and type of insurance they want," Freeman says.


For its part, Bindview held a Web-based seminar in association with SANS in late February on the legal liability for security breaches. "We've done enough of these to anticipate audience attendance, and we had four times the number of people [4,000 total] register for this event than we normally have," says Mullins. "We're definitely seeing a lot more interest in this space."
















The Black Hole

The Computer Security Institute in San Francisco reported these alarming findings, based on the results of its 2002 Computer Crime and Security Survey:










TOTAL LOSSES
44% of respondents were willing and/or able to quantify their financial losses $455,848,000


Within that group, the most-cited reasons for losses were:














TOTAL LOSSES
5.1% attributed losses to theft of proprietary information $170,827,000
4.9% attributed losses to financial fraud $115,753,000

Base: 503 computer security specialists in U.S. organizations and government





Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Premium Protection
The Missing CSO

Blogs

"If you're controlling document transmission processes, don't overlook your multifunction printers, advises one vendor...." Read more...
"Is it just me or is Twitter suddenly experiencing a much, much heavier spam deluge than usual? And how evil..." Read more...
Read more Security posts or See all Blogs

DNS hole prompts synchronized patching effort by IT vendors
Microsoft plugs nine holes in Windows, DNS, SQL
Symantec warns of new Word attack
More top stories...
Microsoft sets XP SP3 automatic download for Thursday
Don't give Google a free pass on data collection, privacy advocates say after YouTube ruling
XP SP3 to reach most users 'shortly,' says Microsoft

This old laptop: Revitalizing an aging notebook on the cheap
All it takes is a couple hours and about $125 to breathe new life into an old laptop. Here's how.
Bill Gates moves on
Is Microsoft's Golden Age over? What are Gates' most memorable quotes? Find out in Computerworld's complete coverage of the end of the Bill Gates era at Microsoft.
Five things you should never tell your boss
There are some things your CIO definitely doesn't want to hear. Also don't miss the flipside, Five things you should always tell your boss.
Hands-On: Firefox 3 fixes what's broke and keeps what's right
With its latest version, Mozilla's browser continues to raise the bar for what Web browsers should be.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
Virtualization Analysis for VMware
A Guide to Understanding Messaging Archiving
Archiving Compliance with Sunbelt Exchange Archiver
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.