Life is unpredictable. Catastrophes can and do happen. Fires, floods, bombs, lawsuits: businesses get insurance to protect themselves when things, inevitably, go wrong.
But few companies have cyber-security insurance despite the pervasive concern about identity theft and information security exposures.
According to the 2005 CSI/FBI Computer Crime and Security Survey, only 25 per cent use insurance to manage cyber-security risks, although the vast majority of respondents experienced breaches, with average losses of $204,000. Why the low uptake to help manage an area many senior executives say is a top priority?
“It’s a matter of getting the right price for cyber-security insurance. It comes down to economics. But this is a tough product for insurance companies,” said Lawrence A. Gordon, co-author of the survey and professor of information assurance at the University of Maryland.
A chicken-and-egg problem is at the core.
The percentage of organizations reporting computer intrusions to law enforcement continues its multi-year decline, driven by fears of market backlash. But insurance companies need this fundamental information to discern patterns in cyber-crime and develop the actuarial databases that form the basis of insurance risk assessment and pricing.
Despite the under-reporting problem, some major insurance companies started offering cyber-security insurance around 1999. But other issues are inhibiting uptake. Mass-market awareness of security risks has only recently percolated beyond regulated high-risk sectors like financial institutions and healthcare. And many companies are facing sharply increased costs for traditional “mandatory” insurance products such as property and casualty, leaving them with little budget to cover other risks.
There are also internal reporting and communication breakdowns at many companies, according to Robert Parisi, technology and telecommunications practice leader at Marsh Inc., a New York-based insurance brokerage. “If the technology side of the house is not reporting to the treasury or risk management side how often these security incidents happen, the guys whose business it is to buy insurance may not know the risk because no one tells them,” he said.
From the insurance carrier’s perspective, under-reporting increases the risk of adverse selection and poses a moral hazard. In insurance parlance, adverse selection refers to the problem that arises when the party seeking insurance has private information not available to the insurance company.
A person who is ill, for example, is more likely to seek insurance than a healthy one, and has an incentive to hide his condition. Moral hazard refers to the lack of incentives to the insured party to take actions that reduce the probability of loss after insurance is provided. Flood insurance, for example, can increase the likelihood of houses being built in high-risk areas like New Orleans.
Both are issues for any type of insurance but they get trickier with cyber-security insurance, said Gordon. Lack of accurate external information means insurance companies must cover largely unknown risks, he said. Companies that under-reported breaches in the past will have an economic incentive to report them after obtaining insurance, which may lead to large and unanticipated claims payouts.
But insurance companies have mechanisms in place to deal with these issues, said Nick Economidis, product manager of netAdvantage, a cyber-security insurance suite offered by American International Group Inc. (AIG), an international insurance provider. “We think our model accurately reflects risk – ultimately, time will tell if it’s good, bad, or indifferent,” he said.
Economidis explained how AIG’s cyber-security insurance screening and coverage works. A large company seeking insurance would require a security audit by an outside expert, paid by AIG to spend a few days on-site reviewing the security systems and policies, and interviewing key executives.
AIG uses the ISO 17799 standard as the security benchmark to evaluate the risk. Policies include clauses that require the insured company to maintain and upgrade security as it normally would, to remove any incentive to let it slide once the insurance is approved. “The pricing of the policy is definitely connected to the quality of information security,” said Economidis, adding that premiums are probably a little less in Canada than in the US, since the potential to be sued and found liable is lower in our not-so-litigious society.
AIG’s netAdvantage product suite covers four broad categories of cyber-risk. The security liability coverage defends the insured against legal liability arising from security failures, paying legal fees and amounts the insured is obligated to pay, such as reissuing new credit cards. First party coverage pays for any direct damage suffered by the insured, such as extortion by hackers. Information asset coverage pays costs to recreate or restore electronic data damaged or lost in an attack, such as customer databases. Business interruption pays for loss of income resulting from disruption to computer systems, such as loss of sales to retailers.
AIG is expanding and enhancing coverage as it gains more experience. “Business interruption insurance doesn’t just cover web sales. We apply it to all operations, since many cash registers are networked computer terminals. So if the network goes down due to a virus, the company may have a material business interruption,” said Economidis.