Cyber Insurance

By Susan E. Fisher

Posted October 5, 2001 01:01 PM Pacific Time

VIRUSES CRIPPLE E-MAIL and riddle networks.
Cyberthieves break into Web servers and steal customer
data. Malicious hackers set off DoS (denial of
service) attacks. What's to keep an IT professional
from tossing and turning in the face of such
nightmares? One answer may be cyberinsurance.

Although far from a perfect or cheap safety net,
cyberinsurance -- also known as e-commerce insurance
or e-peril insurance -- is designed to address gaps
left by traditional business insurance, which
generally covers tangible assets rather than
nontangible but increasingly valuable assets such as
customer data. Cyberinsurance addresses the new risks
arising from increasing dependence on the Internet,
experts say.

"Traditional insurance doesn't provide any adequate
answers for these kinds of exposures," says Emily
Freeman, who specializes in selling e-commerce
insurance as senior vice president of Marsh USA Risk
and Insurance Management in San Francisco. "They
weren't designed for this risk and, in many cases,
underwriters [of traditional business insurance
policies] are retreating from this [area of] risk."

For online jeweler Ice.com's CTO Steve Bramson,
cyberinsurance is one critical piece of a broad
strategy to protect his company from unforeseen damage
and liability concerns.

"We know there's a lot of uncertainty in this area. We
have high aspirations for our company; we want to make
sure we are protected in any eventuality," Bramson
says, adding that Montreal-based Ice.com depends on
the Web as a sales channel.

Bramson found that traditional insurance wouldn't cover
most of the risk exposure the company faces online, so
on his recommendation, Ice.com bought a cyberinsurance
policy from Lloyd's of London. Although Bramson says
he works to secure network infrastructure with
firewall and encryption technologies and maintains a
tight lid on fraud via policies and procedures, "You
can never be 100 percent absolutely, positively
certain" that problems won't arise, he explains.

The burden for handling these new risks often falls
upon IT managers' shoulders. According to a survey of
nearly 1,500 U.S. and European executives conducted by
Schulman, Ronca & Bucuvalas for the St. Paul Companies
published this year, the 65 percent of the U.S.
executives responsible for their company's property
and liability insurance defer primary responsibility
for identifying and monitoring technology risks to
their IT departments.

Cyberinsurance aims to counter financial loss resulting
from network breaches, intellectual property and
content-infringement cases, plus electronic errors and
omissions, says Mike Zeldes, senior vice president of
Kaye Insurance Associates in New York, a member of Hub
International. There are generally four key areas
covered by cyberinsurance: liability, crime, business
interruption, and crisis management.

Liability coverage looks to content-related concerns
such copyright and trademark infringement, privacy
violations, and libel; network-related issues such as
breaches in security or errors that cause financial
damage; and software code infringements.

Business interruption insurance offers protection for
data and other electronic assets against programming
error, intrusions and viruses. It also provides
protection for the loss of business income due to
Internet and network service disruptions.

Cybercrime insurance guards against losses due to
computer crime and theft of computer system resources
or extortion. Crisis management insurance provides
funds to analyze system breaches and handle public
relations in the face of Internet-related problems.

A company initiating an Internet venture opens itself
to risks it may have never considered, says Zeldes,
noting that "general liability [coverage] is very
specific." For example, if someone sues a hardware
company for making an allegedly libelous remark on its
new Web site, a traditional business insurance policy
might not protect the hardware company because it has
moved into a new business for which it is not insured
-- the publishing business, Zeldes explains.

For businesses, shopping for and comparing
cyberinsurance policies may be difficult because
carriers use very different language and are new to
placing value on losses, notes Rossi. Some carriers
require security audits for companies seeking more
extensive coverage, and Farber adds that companies may
also be required to be current on virus software and
firewall technology in order to qualify for claims.

So far adoption of cyberinsurance policies to cover
first-party losses has been relatively slow, notes
Allan Carey, an analyst at Framingham, Mass.-based
IDC. "It's not a proactive approach to security, it's
reactive," he says. "Companies are better off
implementing security solutions that will help fortify
network infrastructure, then supplement that with
cyberinsurance if they feel it's necessary." Michael
Rossi, president of the Insurance Law Group, a
Glendale, Calif., law firm, is now counselling his
Fortune 500 clients to investigate cyberinsurance, as
insurance companies begin discussing electronic data
exclusions for their policies: Computer data would not
be considered tangible property covered by standard
property loss claims.

Further, "most traditional property forms have a narrow
coverage -- the United States, Canada, Puerto Rico,"
notes Jon Farber, assistant vice president for global
underwriting operations, technology at St. Paul
Companies, a large insurance carrier based in St.
Paul, Minn. Because Internet operations are inherently
global, "there would be a coverage gap when looking at
the territory," he adds.

In addition to Lloyd's of London, AIG (American
International Group), Chubb, and Zurich North America
also offer cyberinsurance. But because few carriers
sell these specialized policies, cyberinsurance is
"very expensive," and most carriers limit coverage to
$20 million to $25 million, Rossi says. A low-end
policy from Chubb, for instance, has a premium of
around $2,700 per year for $1 million in coverage,
with a $5,000 deductible. Policies cost into the tens
of thousands of dollars for multimillion dollar
coverage.

Ironically, notes Ice.com's Bramson, online insurance
is one product a company buys that "hopefully you
never will use."

Return to Library of Business Information