Cyberinsurance 101: What it is, what to watch for

For IT personnel, the way to protect a business's assets is through technology. Hardened servers, more redundancy, better security -- if you have a problem, you throw technology at it, right? At some point that technology is going to fail and it won't be able to ensure the continuity of the business. That is where insurance comes in.

Insurance essentially protects an investment from unforeseen circumstances. In the brick and mortar world those circumstances could be crime or severe weather. An event as far reaching and as damaging as a hurricane could also occur in the cyberworld. In a paper, Vern Paxson and Nicholas Weaver at the International Computer Science Institute, claim that a worst-case scenario Internet attack could cause $50 billion in economic damage in the U.S. But even without the threat of a widespread attack, downtime of any kind can adversely affect the bottom line of any business.

If you work at a company whose primary business is not an online entity you might be inclined to trust in the traditional insurance that every company has. Not so fast. Your company might have a full complement of property and liability insurance, but in almost all cases these do not cover data. Even in cases where it seems data loss will be covered -- your datacenter gets flooded, for instance -- property insurance will only cover the physical loss of the hardware, not the data stored on it.

In the late 1990s when companies started to realize both how much their data was worth and how transient its safety could be, they also realized that they needed to insure their investment. It has taken the insurance industry a few years to figure out how to insure intangible data and in turn market acceptance has been slow.

So, if you are looking into a cyberinsurance policy here are a few first steps and pitfalls to avoid.

• Review your current coverage. Are you spending too much on the traditional plans like property, and errors and omissions? Is more of your company's worth in data?
• Understand not only what your data is worth to you, but how your systems affect your business's bottom line. How much money could you lose from a single day of downtime? Quantify it. Insurance costs money, calculate the income loss so you can make better informed decisions.
• Consider that the purchase of a policy will be made by an executive, a CSO, a CIO, a CEO, a CTO, but also know that the details needed to apply for the policy will come from various departments and levels of the organization. Make sure a single point person helps coordinate business and technical perspectives to ensure that you receive the proper coverage.
• Most insurance companies are still developing their actuarial experience with regard to cyberinsurance, so make sure you choose one that has a proven track record of cyberinsurance coverage.
• Insurance is a collective, the more companies that invest in cyberinsurance the less the coverage will cost.

Remember, not everything can be patched.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. BROWSE BY TAG Risk Management Strategies,   Enterprise Vulnerability Management,   Application and Platform Security,   Vulnerability Risk Assessment,   Information Security Management,   Business Management: Security Support and Executive Communications,   VIEW ALL TAGS Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies How to justify information security spending on cloud computing How to protect distributed information flows Black box and white box testing: Which is best? Breach prevention: How to keep track of data and applications Information security management hype: Debunking best practices Monitoring program data and internal controls for risk management Cloud computing security: Choosing a VPN type to connect to the cloud Cloud computing security: Routing and DNS security threats Cloud computing security model overview: Network infrastructure issues How to align an information security framework to your business model Vulnerability Risk Assessment Screencast: How to launch an OpenVAS scan Trusteer CEO criticizes Adobe, touts better patch deployments Patch management study shows IT taking significant risks Vulnerability mitigation study shows need for faster patching Microsoft to issue security report card, new tool at Black Hat Newest malware threats Are Web application penetration tests still important? PCI compliance requirement 6: Systems and applications Cybercrime and threat management McAfee to acquire Solidcore Systems for whitelisting Vulnerability Risk Assessment Research Business Management: Security Support and Executive Communications Cost of security, IT management add up at healthcare facilities, study finds Secure your remote users in 2010 Layoffs prompt insider threat fears, cybersecurity survey finds How to use Internet security threat reports Aligning network security with business priorities RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Risk management must include physical-logical security convergence New partnerships, creative thinking help security bust recession How to align an information security framework to your business model RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.