Cyber insurance offers IT peace of mind -- or maybe not

Cyber insurance can protect your company against data loss and liability, but it's pricey, and coverage can be complicated.

1 2 3 4 5 Page 4
Page 4 of 5

Lobel suggests companies consider hiring a third party to perform a risk assessment to help fully identify and understand their security risks and identify areas for improvement. In fact, he says many insurance companies require such independent assessments to help determine premiums.

Just what insight can IT contribute to the decision-making process? Foley & Lardner's Overly offers two examples. The IT lead at a furniture manufacturer, for instance, should be able to articulate the case that his company doesn't store customer data electronically and therefore isn't likely to be a target of a hacker looking for credit card numbers but still has critical systems that, if compromised, could shut down not only his own company's operations but perhaps work at the company's partner organizations -- a chain of events that could open his company up to loss-of-revenue liability.

On the other hand, Overly says, that hacker looking for customer data is of great concern to the CIO at a retail operation; if a breach occurred, the company could be required to spend millions on customer notifications, public relations and legal fees.

"A risk management person can't make these decisions without talking to the CIO -- that's the person who will give input on how much insurance coverage the company needs and what [threats] it really needs to worry about," Overly says.

Not all companies -- or all IT departments -- are comfortable with this level of self-scrutiny, ASIS International's Fergus points out.

"There is a head-in-the-sand kind of view, 'I'm happy not knowing what I don't know,' " he says. "IT people and business people in general don't like to be criticized in terms of their ability to perform their duties. They may know they're vulnerable, but they don't want to write it down."

Sticker shock

Even companies that have done their due diligence in terms of assessing cyber risk can be in for a jolt, Fergus says. "They go out to the [insurance] carriers, and they get sticker shock."

That's because cyber liability insurance can cost $7,000 to $40,000 per million dollars of loss. And with losses possibly totaling in the tens -- or even hundreds -- of millions, getting a policy able to cover such costs can present a staggering additional cost in insurance premiums.

"Insurance companies want to make money, and the only way they can do that is betting that your premium will exceed the cost of mitigating your claim. [They] are well aware of the costs of mistakes and missing security pieces," says Hord Tipton, executive director at the International Information Systems Security Certification Consortium Inc., or (ISC)2, a nonprofit organization that educates and certifies information security professionals.

Deciding how much coverage to buy can be tricky -- too little, and you don't cover your exposure. Too much, and you face the prospect of sky-high premiums.

Towers Watson's Risk and Finance Manager survey found that 61% of the responding companies that were carrying network liability policies bought $10 million to $49.9 million limits, with only 8% purchasing policies with $50 million or more in limits.

1 2 3 4 5 Page 4
Page 4 of 5
  
Shop Tech Products at Amazon