Cyber insurance offers IT peace of mind -- or maybe not

Cyber insurance can protect your company against data loss and liability, but it's pricey, and coverage can be complicated.

1 2 3 4 5 Page 3
Page 3 of 5

Ken Goldstein, vice president of Chubb Group of Insurance Companies in Warren, N.J., explains that cyber insurance falls into two general buckets. The first bucket covers costs associated with third-party liabilities, that is, claims from other organizations, and the second covers first-party expenses and/or losses, that is, damage to your own organization.

Additionally, policies are available that cover costs associated with a breach, such as third-party notification and PR expenses.

Of course, companies can purchase policies to address both first and third parties, so they're covered for a range of scenarios -- from the cost of notifying customers whose data was breached, to the cost of hiring a forensic IT team, even to paying extortion/ransom demands, Goldstein says. (See an example of Chubb's range of offerings here.)

IT pros as insurance experts?

Given that cyber insurance policies aren't one-size-fits-all and aren't as straightforward as other types of corporate insurance, companies need to determine exactly what coverage they need and whether it makes sense to pay the premiums associated with that coverage, says Eric J. Sinrod, a San Francisco-based partner at national law firm Duane Morris LLP.

That's where IT comes in. An organization's risk management and legal folks understand the language of insurance riders and exclusions, but no one is better equipped to understand and articulate an organization's information security system than the people who run it.

"The CIO is on the front lines in dealing with information systems and should know about actual and potential problems," says Sinrod, who hosts his firm's TechLaw10 audio podcast updates on technology law issues.

IT managers can also assist with facilitating an accurate cost-benefit analysis. "It might cost the company less to recreate the data than it would be to pay for the insurance premium," he warns.

The risk evaluation process requires more than merely articulating what security measures are in place, explains Mark Lobel, a principal and a security benchmarking expert at PricewaterhouseCoopers.

Sample cyber insurance

coverage options

Third-Party Liability First-Party Crime Expense
Disclosure injury Privacy notification expense
Content injury Crisis management and reward expense
Reputational injury E-business interruption and extra expense
Conduit injury E-theft loss
Impaired-access injury E-communications loss
E-threat expense
E-vandalism expense
Source: Chubb Group of Insurance Agencies

Companies first must ensure they follow the best information security practices for their industries, he says. Insurance companies will want to know what security exists at a company before they write any policy, and they might even require a third-party audit to verify what's in place.

Then IT leaders should determine potential threats, their likelihood of occurring, and how such threats would impact the organization should they happen.

"You protect as much as reasonable, and insure against your residual risk. You can't insure [correctly] if you don't understand the risks," Lobel explains. "So you have to have a risk-based approach. You have to be able to say, 'Here's what I think can still go wrong because I'm not willing to spend $100 million for security.'"

1 2 3 4 5 Page 3
Page 3 of 5
Shop Tech Products at Amazon