| Computer hackers stealing customers' credit card | | | | - Copyright and trademark infringement |
| information are no longer just a threat to traditional | | | | - Misuse of intellectual property |
| technology and Internet companies. ChoicePoint, Polo | | | | - Negligent acts, errors, or omissions |
| Ralph Lauren and LexisNexis have captured headlines | | | | - Failure to perform, breach of warranty or |
| recently as victims of credit card theft. They're | | | | representation |
| among the thousands of companies at risk from | | | | - Libel, slander |
| hackers breaking into their computer systems to | | | | - Invasion of privacy |
| take and abuse customers' personal information. | | | | - Denial of service or unauthorized access to, use of |
| These days, every company doing business over the | | | | or introduction of malicious codes into data, software, |
| Internet is at risk, whether the company is a huge | | | | systems or networks |
| software maker, a bricks-and-mortar retailer with a | | | | Although cyber insurance has been available for the |
| dot-com presence or a tiny retailer selling specialty | | | | past four or five years, many larger companies |
| crafts online. | | | | choose to self-insure this exposure. However, as it |
| All businesses have private, critical information that's | | | | has become more affordable and the coverage has |
| at risk. It could be anything from patents on | | | | evolved, even some of the largest firms in this area |
| intellectual property to customer social security | | | | have taken advantage of it. |
| numbers. | | | | Premiums also vary based on the type of company |
| Unfortunately for these companies - and their | | | | being insured. A technology company, whose core |
| customers - many digital losses are not covered | | | | business involves computers and the Internet, will |
| under traditional corporate insurance policies. | | | | pay more for cyber insurance than a company that |
| Commercial general liability policies - in particular the | | | | only does 5 percent of its business over the Internet. |
| personal injury and advertising injury coverages - now | | | | For technology companies, the premiums are high in |
| offer very limited coverage for many of the risks | | | | relation to other coverages. For example, cyber |
| emerging from the widespread use of the Internet | | | | insurance may cost as much as 2.5 times the |
| for commerce. In addition, policies covering damage | | | | premium for directors and officers liability insurance |
| to your own property, vandalism, business | | | | and 25 times as much as general liability coverage for |
| interruption, and dishonesty focus on tangible | | | | a small to mid-size technology company. It may be |
| property but offer little protection for malicious | | | | hard for such a company to swallow the relatively |
| programming (viruses) and for intellectual property - | | | | high cost of cyber insurance. But if the firm doesn't |
| significant exposures for many companies. These | | | | buy it, it could be gambling the entire company. If |
| policies typically offer very limited coverage for loss | | | | someone hacks into the company's computer system |
| of computer data, regardless of how catastrophic or | | | | and misuses the information stored there, it could be |
| debilitating the loss. | | | | potentially devastating. |
| This leaves companies victimized by computer losses | | | | The process of obtaining cyber insurance offers |
| open to substantial financial damages - and the | | | | other benefits. Before an insurance company grants |
| exposures are growing every day. Realizing this, a | | | | coverage for cyber exposures, it often works with |
| number of companies are seeking protection through | | | | the company to assess the risk and evaluate |
| a type of coverage loosely referred to as "cyber | | | | controls, including security measures in place to avoid |
| insurance." This insurance line has emerged over the | | | | or mitigate losses. This can identify vulnerable areas |
| past several years as a way for companies to hedge | | | | and the need for improved controls. Insurers also |
| against lawsuits from customers whose personal | | | | work with the company to make sure the company |
| information is stolen - or other lawsuits from | | | | is prepared to respond promptly to problems, contain |
| customers alleging financial harm from misuse of | | | | losses and keep them from escalating, and finally, to |
| digital information. | | | | pay claims from a catastrophic event. The priorities |
| Let's look at two examples: | | | | are loss prevention, claim mitigation, and loss |
| 1. Fictional web site design firm "Web Design," which | | | | payment. |
| has 100 employees and $40 million in annual sales. | | | | Companies who want cyber insurance will have to |
| Fictional client "Widget World" hires Web Design to | | | | prove they: |
| design a Web site to sell products. In addition, Web | | | | - Have a formal privacy policy in place |
| Design creates a customized order package for | | | | - Have a policy governing whether and how they will |
| Widget World to take orders online. The ordering | | | | sell or disseminate personal information |
| software assesses tax on orders. Unfortunately, | | | | - Will be responsible for personal data such as health |
| Widget World later learns it is not authorized to | | | | and financial information |
| collect the tax and must refund the money to | | | | - Have intellectual property rights clearance |
| customers. The cost to Widget World is $250,000, | | | | procedures for new and current employees |
| which they decide to recover by suing Web Design. | | | | - Have a formal policy on how to respond to security |
| If that weren't enough, a Widget World competitor | | | | breaches and other complaints, in addition to |
| sues Widget World, claiming its website looks too | | | | inaccurate, defamatory or troublesome content |
| similar to the competitor's Web site. Widget World | | | | - Have policies in place to protect users of chatrooms |
| then sues Web Design for trademark infringement. | | | | and bulletin boards |
| This used to be covered under Web Design's general | | | | - Have a security plan and protocols in place that are |
| liability policy but now excludes it. Cyber insurance | | | | updated routinely |
| typically provides this coverage. | | | | - Have hired hackers to try to breach their security |
| 2. Fictional retailer decides to offer products to | | | | - Are ensuring the quality of their products and that |
| customers online with payment by credit card as an | | | | they comply with standards, maintain documents, |
| option. A hacker breaks through the security and | | | | have a customer notification plan, and a plan to recall |
| obtains and sells private information on the credit | | | | and fix products |
| cards and social security numbers of 300,000 | | | | - Have planned for worst-case scenarios |
| customers. The retailer notifies its customers of the | | | | Higher deductibles for cyber insurance are common. |
| security breach, but is exposed to claims from | | | | It's important that the company being insured has |
| customers for unauthorized use of their credit cards | | | | some "skin in the game" so they'll help control the |
| as well as potential identity theft. Traditional policies | | | | risk and keep losses from happening. |
| exclude this but coverage can be bought back | | | | Overall, having cyber insurance is part of a company's |
| through certain kinds of cyber insurance. | | | | entire risk management effort, also known as |
| Within the computer security industry, cyber | | | | "enterprise risk management." This involves looking at |
| insurance is gaining interest. A panel discussed it at | | | | the business comprehensively and strategically to |
| the February 2005 RSA Conference and Expo, a | | | | determine what can threaten a company's survival. |
| leading security conference, in San Francisco. Many | | | | Cyber-related losses could be so extraordinary that |
| insurance companies now offer cyber insurance in | | | | they would fall into this category. If a company does |
| one form or another. The coverage is evolving and | | | | any significant portion of its business over the |
| pricing is improving as more companies express | | | | Internet - which includes selling products or services, |
| interest in the coverage and the industry sorts | | | | communicating with employees or customers and |
| through new computer threats and the best ways to | | | | exchanging information - it could be exposed to |
| protect against them. | | | | problems from people who want to cause havoc or |
| Insurance companies offer varied products that | | | | harm. |
| protect against different kinds of threats or losses, | | | | For these companies, cyber insurance offers tools |
| including: | | | | for managing their digital risk. |