Insurance for Online Attacks Has Yet to Catch On

When Ted Visner’s Visnet ISP was attacked 44 times by a hacker in early 1999, he assumed that the vandalism clause in his insurance policy would cover the damage?costs he estimated at nearly $350,000. To his chagrin, he discovered that his traditional insurance didn’t recognize the true costs of cyberattacks. The insurer said it would pay only $19,000, forcing Visner to battle the company in court. He lost?and now Visnet is out of business.

If Visner had taken out a cyberinsurance policy, he might have been able to collect more appropriately on his losses.

Cyberinsurance covers a number of areas not normally spelled out in traditional policies. These areas include denial-of-service attacks that bring down e-commerce sites, electronic theft of sensitive information, virus-related damage, losses associated with internal networks crippled by hackers or rogue employees, privacy-related suits, and legal issues associated with websites, such as copyright and trademark violations.

The cost of such policies can be high, running to hundreds of thousands of dollars per year, depending on the size of the business and coverage specifics. But that figure might look reasonable compared with closing the company doors forever. As hacker break-ins, server shutdowns and internal sabotage become the normal costs of doing business, CIOs have to make basic decisions about cyberinsurance. Does the company need cyberinsurance at all, or will existing policies suffice? Would it be more beneficial to spend the money on additional security technology instead of insurance? If the company does decide to buy cyberinsurance, what should the policy cover? Some insurance providers offer discounted premiums for companies that use certain software or security services. This can make cyberinsurance a technology issue as well as a financial and legal question, and it can even take some security decisions out of IT’s control and place them in the hands of insurance adjusters and actuarial tables.

Still Waiting

Given these questions, it’s understandable that cyberinsurance has yet to catch on in a big way, especially when you consider that many CIOs don’t even know such policies exist.

And even those executives who are aware of the offerings don’t always bite. Ken Anderson, CIO for Provo, Utah-based Novell, acknowledges that his company looked into purchasing cyberinsurance but has yet to buy any. Company lawyers, he says, determined that Novell’s existing liability insurance offers adequate coverage, making cyberinsurance redundant.

Like Anderson, John Voeller, chief knowledge officer and CTO of Kansas City, Mo., engineering construction company Black & Veatch, investigated cyberinsurance but decided not to purchase it. “We’ve talked to a lot of insurance companies about it,” he says, “but we haven’t seen something we can use broadly here and overseas. We operate globally, and some of the protections we can buy in some places we can’t buy in others.”

Voeller also believes that cyberinsurance simply can’t cover the real financial risks of cyberattacks. “In our business, if we miss four e-mails [because of a hacker bringing down a server], we might miss $10 million in new business being offered, but we wouldn’t get paid for the missed business because how do you put that in insurance coverage?”

Discounts?at a Price

In the hopes of attracting skeptical CIOs to their plans, some cyberinsurance companies offer premium discounts to companies that implement certain products or security services. For example, Wurzler Underwriting Managers in Okemos, Mich., recently offered clients a 5 percent to 30 percent premium break if they use Linux or Unix servers rather than Windows NT. Walter Kopf, former senior vice president of underwriting for Wurzler, explains the difference by noting that in most cases, Linux and Unix systems are configured more securely so that they’re less vulnerable to attack. “Customers aren’t getting a break because they’re using Linux software,” he says. “They’re getting a break because those people with Linux tend to have more secure configurations.” (Cyberinsurance provider Safeonline recently hired Wurzler founder John Wurzler and is acquiring some of his company’s assets. Safeonline claims that it will not provide discounts, as there isn’t actuarial data to support the practice.)

Lloyd’s America Insurance also offers discounts. For example, if companies use Tripwire’s security software or Counterpane’s security services, they’ll receive a 10 percent reduction on their premiums. “It’s like a business having a fire alarm or sprinklers in a building,” says Wendy Baker, president of Lloyd’s America. “When they do that, they deserve a credit….It makes for a better risk and so they should be entitled to a break on their premiums.”

The discounts can add up to big money. Cyberinsurance premiums vary widely, but for a sizable site requiring a great deal of coverage, the costs can easily run from $100,000 to $300,000 a year, notes Wyatt Starnes, president and CEO of Portland, Ore.-based Tripwire. That means a discount anywhere from $10,000 to $30,000. CIOs have to balance that premium reduction against the cost of buying the software, however, which in Tripwire’s case is $1,000 per server plus an 18 percent annual maintenance fee.

New Trends

Lloyd’s Baker concedes that for now, her company still writes very few cyberinsurance policies. In the long run, however, she believes that there’s a chance the premium breaks could have a significant effect on which software and services survive in the market.

“Underwriters Labs puts their seal on things like fire and burglar alarms, and if you look at [cyberinsurance] way down the road, you can imagine a kind of Good Housekeeping Seal of Approval stamp on certain products,” and that seal could ultimately give them greater market share, she says.

Novell’s Anderson concurs. “It’s like car insurance,” he says. “In the future, as certain platforms have more break-ins, people who use those platforms will be charged an extra premium, just like a car with more rollovers will be charged a higher premium.”

But not everyone agrees. “I don’t think that will make a difference in the long run,” Voeller says. “It’s a shortsighted perspective believing that using Linux servers will make you magically better off. There are fewer break-ins on Linux servers because there are fewer people using them. The insurance industry is just playing with actuarial tables.”

Whether the policies ultimately influence which products dominate a market remains to be seen. Before that can happen, more companies?many more?will need to buy policies. And at least for now, the indicators aren’t pointing toward a sudden surge in the rolls of the cyberinsured. “I haven’t heard of a lot of clients signing up,” says Allan Carey, a senior analyst for IDC (a sister company to CIO’s publisher, CXO Media). “A lot of companies have inquired about it, but they haven’t gone ahead yet.” Carey notes that a big issue is whether the money would be better spent elsewhere, such as implementing new security solutions or bolstering existing ones.

Worse, some CIOs believe that taking out cyberinsurance and then buying particular pieces of hardware or software in the search for discounted premiums might provide a false sense of safety. If that becomes the case, the policies may even prove a detriment to security.

And Novell’s Anderson warns that taking out cyberinsurance would be a mistake if it leads companies to believe that the policy somehow releases them from the task of handling security properly. “There is no insurance policy that will replace my responsibility,” he says.