http://www.theglobeandmail.com/servlet/story/RTGAM.20051117.wsrcyberinsur17/BNStory/Business/ By GRANT BUCKLER November 17, 2005 Thursday's Globe and Mail A fire in your company's data centre destroys computers and data critical to your business. Your property insurance probably covers the wrecked equipment and the value of the data it contained. But if the same data is lost due to a computer virus or a hacker attack -- or if a customer sues you because private data was accidentally made public -- chances are you are not covered. Though more and more of the information on which businesses depend is kept in electronic form, and the risks to that data are numerous and well publicized, the insurance industry has paid relatively little attention so far to protecting customers against losses due to computer viruses, hackers, programming errors and catastrophic system failures. "The industry has pretty much languished over how to deal with the whole idea of property loss over data," says Michael McQuaid, vice-president of corporate risk at insurance broker Insurers Financial Group in Richmond Hill, Ont. You can purchase special insurance designed to protect your business against data loss and related risks. But getting the best deal on such insurance -- or getting it at all -- requires that you understand the value of your data and the risks you face and that you take proper precautions to guard against system break-ins, viruses and data falling into the wrong hands. Standard commercial property insurance usually covers data loss that results from loss or damage to physical property covered by the policy. So if a computer room is destroyed in a fire or flood, the equipment and the data it contains is covered -- but not otherwise. "You must have physical loss to tangible property," Mr. McQuaid says. Most property insurance policies today make this explicit by excluding data unless it is lost due to a "named peril," like a fire or flood. One way around this is to persuade your insurer to "endorse" your policy to remove the data exclusion. But Mr. McQuaid says relatively few insurers are willing to add such endorsements to property policies today. You can, however, purchase standalone insurance against data loss or misuse. American International Group Inc. of New York offers Information Asset Coverage that will pay the cost of restoring lost data from backups or, if that can't be done, the cost of reconstructing the data, however possible. It also covers the cost of lost business due to loss of data. Designed for companies with $10-million or more in annual revenues, policies are available with coverage limits from $1-million to $25-million (U.S.) per incident, up to a maximum of $25-million (U.S.) for the life of the policy, says Nick Economidis, vice-president and product manager for technology at AIG. Chubb Insurance Co. of Canada in Toronto launched a product in April that protects against viruses, theft of proprietary information and unauthorized access to data. Depending on the amount of coverage purchased, policies will pay claims of up to $1-million for incidents caused by factors inside the insured company and up to $10,000 per occurrence to a $50,000-per-year maximum for incidents caused by outside factors. The more restricted payouts for incidents caused by outside factors are because such incidents -- like virus attacks -- could lead to claims from many policy holders at the same time, says Andrew Steen, vice-president of technology insurance specialty at Chubb Canada. Rosaleen Citron, chief executive at WhiteHat Inc., a Burlington, Ont., computer security management company, says too few companies think about insuring their data. Many take the attitude that, if attacked, they will simply absorb the cost, she says, but that is a risky strategy. "If I were a big company, I would certainly be looking at cyber-insurance." However, it's not as simple as just buying a policy. The first issue is: What insurance do you need? And that depends on the value of the data and the risk. Putting a value on data is tricky, Mr. McQuaid says, but it ultimately comes down to what it would cost your business if the data were lost. Would the loss be a day's sales? A six-month delay in launching a new product? Half your customers switching to the competition? Would the business even survive if certain data were lost? And how would you recreate the data? Having assessed the risks as best you can, the next step is to do everything possible to guard against them. Aside from the fact that insurance money can't really compensate for loss of critical business data, you may not even get insurance if you haven't taken reasonable security precautions, and you will probably pay less if your security practices are sound. The exact requirements vary from one organization to another, but the basics include an accepted standard of network security, clearly stated and regularly updated security policies, prompt installation of critical software updates and encryption of sensitive data. You may also need to look at contracts with other companies, Mr. McQuaid suggests -- those that have access to your data as part of services they provide to you, for instance. Are those partners taking adequate precautions? And who is responsible if your data is lost or improperly disclosed due to an error on their part? In evaluating an applicant's security protection, insurers often look at an International Standards Organization standard called ISO 17799. "That basically is a framework which defines best practices for network security," says Narender Mangalam, director of network security and underwriting at AIG. ISO 17799 does not tell you exactly what to do, notes Tom Slodichak, chief security officer at WhiteHat. It outlines a number of areas, such as physical security, access controls and encryption. Calling it "a very high standard," Mr. Mangalam says AIG treats ISO 17799 as a guideline, not a list of must-have items. The quality of a company's security protection determines not just whether it's eligible for insurance but what coverage it can get at what cost. Mr. Economidis says AIG's underwriters use a rating system to determine what premiums a client pays. Mr. Steen says Chubb offers a minimum level of coverage to all customers, but "more coverage would be available and at a more cost-effective price" for those with better security in place. Charles Salameh, president of Bell Security Solutions Inc., a unit of Bell Canada that provides security consulting services to businesses, says a company that does computer security well can save 3 to 5 per cent on insurance premiums. "It's no different than driving for six years without getting into an accident," Mr. Salameh says. BSSI, which assesses potential insurance clients' computer-security risks for Itasca, Ill.-based insurance firm Arthur J. Gallagher & Co., also provides consulting services to help companies seeking insurance against data loss and network intrusions get better deals. Options for insuring data are limited but increasing. "I do believe the market will step up to this," Mr. McQuaid says. Either standard property policies will include more coverage for data loss, he predicts, or a wider range of specialized policies will become available. _________________________________________ Earn your Master's degree in Information Security ONLINE www.msia.norwich.edu/csi Study IA management practices and the latest infosec issues. Norwich University is an NSA Center of Excellence.
This archive was generated by hypermail 2.1.3 : Thu Nov 17 2005 - 23:22:10 PST