If Visner had taken out a cyberinsurance policy, he might have been able to collect more appropriately on his losses.

Cyberinsurance covers a number of areas not normally spelled out in traditional policies. These areas include denial-of-service attacks that bring down e-commerce sites, electronic theft of sensitive information, virus-related damage, losses associated with internal networks crippled by hackers or rogue employees, privacy-related suits, and legal issues associated with websites, such as copyright and trademark violations.

The cost of such policies can be high, running to hundreds of thousands of dollars per year, depending on the size of the business and coverage specifics. But that figure might look reasonable compared with closing the company doors forever. As hacker break-ins, server shutdowns and internal sabotage become the normal costs of doing business, CIOs have to make basic decisions about cyberinsurance. Does the company need cyberinsurance at all, or will existing policies suffice? Would it be more beneficial to spend the money on additional security technology instead of insurance? If the company does decide to buy cyberinsurance, what should the policy cover? Some insurance providers offer discounted premiums for companies that use certain software or security services. This can make cyberinsurance a technology issue as well as a financial and legal question, and it can even take some security decisions out of IT’s control and place them in the hands of insurance adjusters and actuarial tables.

Still Waiting

Given these questions, it’s understandable that cyberinsurance has yet to catch on in a big way, especially when you consider that many CIOs don’t even know such policies exist.

And even those executives who are aware of the offerings don’t always bite. Ken Anderson, CIO for Provo, Utah-based Novell, acknowledges that his company looked into purchasing cyberinsurance but has yet to buy any. Company lawyers, he says, determined that Novell’s existing liability insurance offers adequate coverage, making cyberinsurance redundant.

Like Anderson, John Voeller, chief knowledge officer and CTO of Kansas City, Mo., engineering construction company Black & Veatch, investigated cyberinsurance but decided not to purchase it. "We’ve talked to a lot of insurance companies about it," he says, "but we haven’t seen something we can use broadly here and overseas. We operate globally, and some of the protections we can buy in some places we can’t buy in others."