Cyberinsurance 101: What it is, what to watch for

For IT personnel, the way to protect a business's assets is through technology. Hardened servers, more redundancy, better security -- if you have a problem, you throw technology at it, right? At some point that technology is going to fail and it won't be able to ensure the continuity of the business. That is where insurance comes in.

Insurance essentially protects an investment from unforeseen circumstances. In the brick and mortar world those circumstances could be crime or severe weather. An event as far reaching and as damaging as a hurricane could also occur in the cyberworld. In a paper, Vern Paxson and Nicholas Weaver at the International Computer Science Institute, claim that a worst-case scenario Internet attack could cause $50 billion in economic damage in the U.S. But even without the threat of a widespread attack, downtime of any kind can adversely affect the bottom line of any business.

If you work at a company whose primary business is not an online entity you might be inclined to trust in the traditional insurance that every company has. Not so fast. Your company might have a full complement of property and liability insurance, but in almost all cases these do not cover data. Even in cases where it seems data loss will be covered -- your datacenter gets flooded, for instance -- property insurance will only cover the physical loss of the hardware, not the data stored on it.

In the late 1990s when companies started to realize both how much their data was worth and how transient its safety could be, they also realized that they needed to insure their investment. It has taken the insurance industry a few years to figure out how to insure intangible data and in turn market acceptance has been slow.

So, if you are looking into a cyberinsurance policy here are a few first steps and pitfalls to avoid.

• Review your current coverage. Are you spending too much on the traditional plans like property, and errors and omissions? Is more of your company's worth in data?
• Understand not only what your data is worth to you, but how your systems affect your business's bottom line. How much money could you lose from a single day of downtime? Quantify it. Insurance costs money, calculate the income loss so you can make better informed decisions.
• Consider that the purchase of a policy will be made by an executive, a CSO, a CIO, a CEO, a CTO, but also know that the details needed to apply for the policy will come from various departments and levels of the organization. Make sure a single point person helps coordinate business and technical perspectives to ensure that you receive the proper coverage.
• Most insurance companies are still developing their actuarial experience with regard to cyberinsurance, so make sure you choose one that has a proven track record of cyberinsurance coverage.
• Insurance is a collective, the more companies that invest in cyberinsurance the less the coverage will cost.

Remember, not everything can be patched.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Risk Management Strategies Easing e-discovery preparation by mapping enterprise data Database patch denial: How 'critical' are Oracle's CPUs? Security breach management: Planning and preparation The ins and outs of database encryption Failure mode and effects analysis: Process and system risk assessment Data loss prevention (DLP) tools: The new way to prevent identity theft? IT GRC: Combining disciplines for better enterprise security Partner access: Balancing security and availability Enterprise data management: Analyzing business processes and infrastructure for data protection Filtering log data: Looking for the needle in the haystack Risk Management Metrics and Measuring Risk Security data lapses hamper researchers Next wave of security will be defined by metrics, analysts say Like MLB scouts, IT security pros are turning to metrics Interview: Financial Services CISO David Pollino Failure mode and effects analysis: Process and system risk assessment The pros and cons of data breach insurance Researcher Puts Quantitative Measurement on Information Security Threats Quiz: Developing a risk-based compliance program Sophisticated spam, employee errors continue unabated Why you shouldn't wager the house on risk management models Vulnerability Assessment Security data lapses hamper researchers Database patch denial: How 'critical' are Oracle's CPUs? Is attack code valuable for vulnerabilities or just a publicity stunt? Will the features of Windows Vista SP1 encourage wider adoption of the OS? Is a Master Boot Record (MBR) rootkit completely invisible to the OS? How to install and configure Nessus Nessus: Vulnerability scanning in the enterprise Nessus 3 Tutorial Security Services: QualysGuard Security and Compliance Suite HP aims at IBM with application vulnerability scanning as service Vulnerability Assessment Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary gray hat  (SearchSecurity.com) risk analysis  (SearchSecurity.com) vulnerability analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.