Fires are catastrophic. Fire insurance, though, can replace the building, equipment and, in some cases, revenue. Hackers and worms can also cause catastrophic loss, but insurance doesn't treat them the same way.
Traditional business casualty and liability insurance only covers physical damage and loss; essential data and business applications losses aren't covered. That's why insurance companies -- including American International Group, Lloyd's of London and Marsh -- began offering "cyber risk insurance" about five years ago.
"Insurance is part of the total risk management for security," says Emily Freeman, vice president at AIG, a global insurance and financial services company. "No matter what you do in terms of technology, the risks can't go to zero since it's a combined people, process and technology problem. The role of insurance is to stand behind your best efforts and deal with events that can't be prevented or mitigated."
The Yankee Group predicted in 1999 that cyberinsurance would skyrocket from $100 million in coverage to $7 billion in 2004. Yet, the market has remained underwhelmed by the concept. One broker says he's only closed three sales out of 100 cyberinsurance proposals. The most recent prediction from the Insurance Information Institute in New York is that coverage might reach $3 billion or $4 billion in the next three years.
This lack of interest appears to be based on a misconception: The most recent Ernst & Young Global Information Security Survey found that 33% of 1,400 respondents mistakenly assume their conventional business insurance covers computer security events. Others don't see the value in the insurance, or fear that filing an insurance claim would expose security and intelligence breaches.
Nevertheless, the cyberinsurance business has doubled annually for the last two years as more security and risk managers accept that even the best security measures can't stop every attack.
"With insurance, IT managers no longer have to say that there's no risk," says Steve Haase, president of Insuretrust, an Atlanta-based insurance broker. "They can say that they have done what a prudent businessperson could do, and, while there are still risks, 'We have insurance.'"
Note: This column originally appeared in the August issue of Information Security magazine.