What you will learn from this tip: The fundamentals of cyberinsurance, including pitfalls to avoid when shopping for a policy.
For IT personnel, the way to protect a business's assets is through technology. Hardened servers, more redundancy, better security -- if you have a problem, you throw technology at it, right? At some point that technology is going to fail and it won't be able to ensure the continuity of the business. That is where insurance comes in.
Insurance essentially protects an investment from unforeseen circumstances. In the brick and mortar world those circumstances could be crime or severe weather. An event as far reaching and as damaging as a hurricane could also occur in the cyberworld. In a paper, Vern Paxson and Nicholas Weaver at the International Computer Science Institute, claim that a worst-case scenario Internet attack could cause $50 billion in economic damage in the U.S. But even without the threat of a widespread attack, downtime of any kind can adversely affect the bottom line of any business.
If you work at a company whose primary business is not an online entity you might be inclined to trust in the traditional insurance that every company has. Not so fast. Your company might have a full complement of property and liability insurance, but in almost all cases these do not cover data. Even in cases where it seems data loss will be covered -- your datacenter gets flooded, for instance -- property insurance will only cover the physical loss of the hardware, not the data stored on it.
In the late 1990s when companies started to realize both how much their data was worth and how transient its safety could be, they also realized that they needed to insure their investment. It has taken the insurance industry a few years to figure out how to insure intangible data and in turn market acceptance has been slow.
Where's the cybersecurity coverage these days?
Though companies are expressing more interest in policies to protect against the onslaught of privacy breaches, such insurance still remains a rarity.
So, if you are looking into a cyberinsurance policy here are a few first steps and pitfalls to avoid.
- Review your current coverage. Are you spending too much on the traditional plans like property, and errors and omissions? Is more of your company's worth in data?
- Understand not only what your data is worth to you, but how your systems affect your business's bottom line. How much money could you lose from a single day of downtime? Quantify it. Insurance costs money, calculate the income loss so you can make better informed decisions.
- Consider that the purchase of a policy will be made by an executive, a CSO, a CIO, a CEO, a CTO, but also know that the details needed to apply for the policy will come from various departments and levels of the organization. Make sure a single point person helps coordinate business and technical perspectives to ensure that you receive the proper coverage.
- Most insurance companies are still developing their actuarial experience with regard to cyberinsurance, so make sure you choose one that has a proven track record of cyberinsurance coverage.
- Insurance is a collective, the more companies that invest in cyberinsurance the less the coverage will cost.
Remember, not everything can be patched.