In December 2011, the New York Times reported that only one third of companies had insurance against losses related to their information technology. Generally called, Cyber Insurance, this protection gained a foothold during the 1990s. For AEC businesses using the cloud, cyber insurance can be the backstop to scenarios where the best laid security plans didn’t work out.
According to a U.S. government report:
Cyber-insurance is an insurance product used to protect businesses from Internet-based risks, and more generally from risks relating to information technology infrastructure and activities. Risks of this nature are typically excluded from traditional commercial general liability policies. Coverages provided by cyber-insurance policies may include first-party coverage against losses such as data destruction, extortion, theft, hacking, and denial of service attacks; liability coverage indemnifying companies for losses to others caused, for example, by errors and omissions, failure to safeguard data, or defamation; and other benefits including regular security audits, post-incident public relations and investigative expenses, and criminal reward funds.
While estimates of total premiums being paid for cyber insurance currently rest in the hundreds of millions range, there are those who are predicting a 50 percent growth in that number during the next 12 months, according to the New York Times article. The thing is that, IT has not been traditionally involved in insurance planning, yet those are the people who are most familiar with the potential risks. When you add a general low understanding of just what is covered and what is not covered by insurance policies, the stage is set for surprises when things go wrong. Just like with homeowners’ policies, business policies have many exclusions. In one example cited in a Computerworld article this year, the cost of a damaged server is generally covered under business insurance policies, but not the cost of liability associated with NOT providing contracted services to a customer. Likewise, data loss, and not being able to access data is usually not covered.
While cyber insurance was initially focused on protecting companies when data breaches occurred, today’s adoption of the cloud adds a whole new level of complexity to insuring against cyber losses. Vendors of cloud computing products and services aren’t going to insure your losses, so it falls to you. But the risks now extend beyond the cloud and to all of those mobile consumer devices being brought to the job by employees. You can bet your standard business insurance isn’t going to cover any problems that arise from company data breached on an employee’s hardware. So far though, it is generally assumed that cyber insurance policies will follow the risks to their natural destinations.
In 2010, every breached data record cost companies more than $20 and the costs can be staggering, going beyond just the data loss or compromise, to lawsuits for damages brought by those whose data was affected. One sobering example was Sony’s experience with more than 100 million records breached. Cyber insurance in many cases should be a no-brainer with that kind of potential for loss. However, many companies resist buying the coverage because cyber insurance policies can cost up to 4 percent per million. With potential losses running in the hundreds of millions for large events, the outlay could appreciably increase a firm’s annual insurance expenses.
The experts say a thorough assessment of the risks is the place to start when deciding if a cyber insurance policy is needed. For those moving to the cloud the urgency in doing that is increased, and it might even be considered as a final component to a complete cloud security plan.