Voeller also believes that cyberinsurance simply can’t cover the real financial risks of cyberattacks. "In our business, if we miss four e-mails [because of a hacker bringing down a server], we might miss $10 million in new business being offered, but we wouldn’t get paid for the missed business because how do you put that in insurance coverage?"

Discounts?at a Price

In the hopes of attracting skeptical CIOs to their plans, some cyberinsurance companies offer premium discounts to companies that implement certain products or security services. For example, Wurzler Underwriting Managers in Okemos, Mich., recently offered clients a 5 percent to 30 percent premium break if they use Linux or Unix servers rather than Windows NT. Walter Kopf, former senior vice president of underwriting for Wurzler, explains the difference by noting that in most cases, Linux and Unix systems are configured more securely so that they’re less vulnerable to attack. "Customers aren’t getting a break because they’re using Linux software," he says. "They’re getting a break because those people with Linux tend to have more secure configurations." (Cyberinsurance provider Safeonline recently hired Wurzler founder John Wurzler and is acquiring some of his company’s assets. Safeonline claims that it will not provide discounts, as there isn’t actuarial data to support the practice.)

Lloyd’s America Insurance also offers discounts. For example, if companies use Tripwire’s security software or Counterpane’s security services, they’ll receive a 10 percent reduction on their premiums. "It’s like a business having a fire alarm or sprinklers in a building," says Wendy Baker, president of Lloyd’s America. "When they do that, they deserve a credit....It makes for a better risk and so they should be entitled to a break on their premiums."

The discounts can add up to big money. Cyberinsurance premiums vary widely, but for a sizable site requiring a great deal of coverage, the costs can easily run from $100,000 to $300,000 a year, notes Wyatt Starnes, president and CEO of Portland, Ore.-based Tripwire. That means a discount anywhere from $10,000 to $30,000. CIOs have to balance that premium reduction against the cost of buying the software, however, which in Tripwire’s case is $1,000 per server plus an 18 percent annual maintenance fee.

New Trends

Lloyd’s Baker concedes that for now, her company still writes very few cyberinsurance policies. In the long run, however, she believes that there’s a chance the premium breaks could have a significant effect on which software and services survive in the market.