When Ted Visner\u2019s Visnet ISP was attacked 44 times by a hacker in early 1999, he assumed that the vandalism clause in his insurance policy would cover the damage?costs he estimated at nearly $350,000. To his chagrin, he discovered that his traditional insurance didn\u2019t recognize the true costs of cyberattacks. The insurer said it would pay only $19,000, forcing Visner to battle the company in court. He lost?and now Visnet is out of business. If Visner had taken out a cyberinsurance policy, he might have been able to collect more appropriately on his losses. Cyberinsurance covers a number of areas not normally spelled out in traditional policies. These areas include denial-of-service attacks that bring down e-commerce sites, electronic theft of sensitive information, virus-related damage, losses associated with internal networks crippled by hackers or rogue employees, privacy-related suits, and legal issues associated with websites, such as copyright and trademark violations. The cost of such policies can be high, running to hundreds of thousands of dollars per year, depending on the size of the business and coverage specifics. But that figure might look reasonable compared with closing the company doors forever. As hacker break-ins, server shutdowns and internal sabotage become the normal costs of doing business, CIOs have to make basic decisions about cyberinsurance. Does the company need cyberinsurance at all, or will existing policies suffice? Would it be more beneficial to spend the money on additional security technology instead of insurance? If the company does decide to buy cyberinsurance, what should the policy cover? Some insurance providers offer discounted premiums for companies that use certain software or security services. This can make cyberinsurance a technology issue as well as a financial and legal question, and it can even take some security decisions out of IT\u2019s control and place them in the hands of insurance adjusters and actuarial tables. Still WaitingGiven these questions, it\u2019s understandable that cyberinsurance has yet to catch on in a big way, especially when you consider that many CIOs don\u2019t even know such policies exist. And even those executives who are aware of the offerings don\u2019t always bite. Ken Anderson, CIO for Provo, Utah-based Novell, acknowledges that his company looked into purchasing cyberinsurance but has yet to buy any. Company lawyers, he says, determined that Novell\u2019s existing liability insurance offers adequate coverage, making cyberinsurance redundant.Like Anderson, John Voeller, chief knowledge officer and CTO of Kansas City, Mo., engineering construction company Black & Veatch, investigated cyberinsurance but decided not to purchase it. "We\u2019ve talked to a lot of insurance companies about it," he says, "but we haven\u2019t seen something we can use broadly here and overseas. We operate globally, and some of the protections we can buy in some places we can\u2019t buy in others."Voeller also believes that cyberinsurance simply can\u2019t cover the real financial risks of cyberattacks. "In our business, if we miss four e-mails [because of a hacker bringing down a server], we might miss $10 million in new business being offered, but we wouldn\u2019t get paid for the missed business because how do you put that in insurance coverage?"Discounts?at a PriceIn the hopes of attracting skeptical CIOs to their plans, some cyberinsurance companies offer premium discounts to companies that implement certain products or security services. For example, Wurzler Underwriting Managers in Okemos, Mich., recently offered clients a 5 percent to 30 percent premium break if they use Linux or Unix servers rather than Windows NT. Walter Kopf, former senior vice president of underwriting for Wurzler, explains the difference by noting that in most cases, Linux and Unix systems are configured more securely so that they\u2019re less vulnerable to attack. "Customers aren\u2019t getting a break because they\u2019re using Linux software," he says. "They\u2019re getting a break because those people with Linux tend to have more secure configurations." (Cyberinsurance provider Safeonline recently hired Wurzler founder John Wurzler and is acquiring some of his company\u2019s assets. Safeonline claims that it will not provide discounts, as there isn\u2019t actuarial data to support the practice.)Lloyd\u2019s America Insurance also offers discounts. For example, if companies use Tripwire\u2019s security software or Counterpane\u2019s security services, they\u2019ll receive a 10 percent reduction on their premiums. "It\u2019s like a business having a fire alarm or sprinklers in a building," says Wendy Baker, president of Lloyd\u2019s America. "When they do that, they deserve a credit....It makes for a better risk and so they should be entitled to a break on their premiums."The discounts can add up to big money. Cyberinsurance premiums vary widely, but for a sizable site requiring a great deal of coverage, the costs can easily run from $100,000 to $300,000 a year, notes Wyatt Starnes, president and CEO of Portland, Ore.-based Tripwire. That means a discount anywhere from $10,000 to $30,000. CIOs have to balance that premium reduction against the cost of buying the software, however, which in Tripwire\u2019s case is $1,000 per server plus an 18 percent annual maintenance fee.New TrendsLloyd\u2019s Baker concedes that for now, her company still writes very few cyberinsurance policies. In the long run, however, she believes that there\u2019s a chance the premium breaks could have a significant effect on which software and services survive in the market."Underwriters Labs puts their seal on things like fire and burglar alarms, and if you look at [cyberinsurance] way down the road, you can imagine a kind of Good Housekeeping Seal of Approval stamp on certain products," and that seal could ultimately give them greater market share, she says. Novell\u2019s Anderson concurs. "It\u2019s like car insurance," he says. "In the future, as certain platforms have more break-ins, people who use those platforms will be charged an extra premium, just like a car with more rollovers will be charged a higher premium."But not everyone agrees. "I don\u2019t think that will make a difference in the long run," Voeller says. "It\u2019s a shortsighted perspective believing that using Linux servers will make you magically better off. There are fewer break-ins on Linux servers because there are fewer people using them. The insurance industry is just playing with actuarial tables."Whether the policies ultimately influence which products dominate a market remains to be seen. Before that can happen, more companies?many more?will need to buy policies. And at least for now, the indicators aren\u2019t pointing toward a sudden surge in the rolls of the cyberinsured. "I haven\u2019t heard of a lot of clients signing up," says Allan Carey, a senior analyst for IDC (a sister company to CIO\u2019s publisher, CXO Media). "A lot of companies have inquired about it, but they haven\u2019t gone ahead yet." Carey notes that a big issue is whether the money would be better spent elsewhere, such as implementing new security solutions or bolstering existing ones. Worse, some CIOs believe that taking out cyberinsurance and then buying particular pieces of hardware or software in the search for discounted premiums might provide a false sense of safety. If that becomes the case, the policies may even prove a detriment to security.And Novell\u2019s Anderson warns that taking out cyberinsurance would be a mistake if it leads companies to believe that the policy somehow releases them from the task of handling security properly. "There is no insurance policy that will replace my responsibility," he says.