As IT becomes essential to running organisations, specialist policies are popping up to insure data and systems.
IT operations are beset by risk. Dangers lie everywhere, whether it’s tornados flattening your data centre or script-kiddies flattening your website. You can work with insurance companies to build policies protecting your company against many types of risk but can you take out a policy covering the risks associated with computing?
Several companies do offer insurance policies for IT risk. Some specialise in liability insurance for IT service providers, while others also cover companies using IT for their businesses. This can either be done as part of an existing policy or as a dedicated policy with extensive coverage.
In the UK, for example, Chubb Insurance insures companies against the impairment of computer services as part of its commercial property policy. In the US it has a dedicated IT security insurance policy for financial data which covers electronic theft, denial of service, electronic vandalism and compromised data during electronic communication.
Assessing IT risks in monetary terms isn’t always easy. When the Nationwide Building Society recently suffered the theft of an employee’s laptop containing unencrypted customer data, it found out just how quantifiable its risk was – the FSA fined it £980,000. But such fines are uninsurable, explains Chris Fitzgerald, managing director of specialist IT insurance broker FRD Risk Solutions. “In the UK that would be construed as being against public policy,” he says. “What you can insure against is the cost of a PR consultant to mitigate the reputational damage, and potentially the additional cost incurred to re-allocate client account details.”
TJX Group, which lost millions of credit card records after malware was installed on its server, could have been insured, but such insurance would need a dialogue between the client, the broker and the underwriter. “Quite often when pricing structure is put forward for those covers, clients can baulk at the premium because it can be significant to say the least,” Fitzgerald says.
But how are such premiums calculated?
Underwriters will often maintain partnerships with specialist IT risk assessment companies. The underwriter’s expertise complements the broker’s own investigation of the client’s business processes and QA procedures. Chris Cotterell, a partner at large ICT insurance underwriter Safeonline, explains that the company divides policies into five risk levels. The first and lowest level addresses companies which simply use email and store data on office systems. The highest would address customers such as ecommerce companies who are totally reliant on the internet for their business.
The cost of risks in first-party IT insurance contracts that compensate the owner of the policy are easier to quantify, says Paul Skinner, senior ICT underwriting specialist at Chubb Insurance. “On first-party, you can calculate the value of property and look at business interruption,” he says. But third-party liability, where you’re compensating someone else for the failure of your computer systems, is harder to quantify.
Understanding the cost associated with, say, compromised customer data is a difficult and inexact task. Whereas actuaries are used to dealing with detailed, tried-and-tested tables and equations for other types of insurance, things are less mature in the ICT industry, according to Cotterell.
“In 10 or 20 years’ time there will be actuarial studies, and they will have arrived at an exact model, as they have with car insurance,” he says. “We don’t have that level of data yet, so we take what we think are reasonable rates based on reasonable risks.”
Mark Greisiger, CEO of NetDiligence, which conducts IT risk assessment services on behalf of insurance companies, says: “The difficulty in this space is that people aren’t willing to tell you truly if breaches occur, and if they occur, how much the average loss is.”
Actuaries use the best information available – normally studies from organisations like the FBI and the Computer Security Institute – but even these figures are far from exact, he argues. Data breach disclosure laws in the US (and possibly soon in Europe) help with this to a certain extent but it’s still far from an exact science.
“Everyone has their own figure for potential loss due to a breach or a problem. There isn’t really a standard framework,” warns Ken Newman, who grapples with such issues as vice president of security at the American Savings Bank in Honolulu. “But I know that we’re spending more time evaluating the identity-theft space.”
NetDiligence’s Griesiger agrees that privacy has become a focal point in recent years following incidents with firms like TJX Group and others. He says: “Cyber policies have extended themselves to cover any type of exposure no matter where that data is. Often we’ll see back-up tapes fall off the truck, laptops lost and so on. And then there are people improperly shredding information and putting it in a dumpster for it to be blown down the alley.”
Greisiger adds that customers using outsourced IT services can be another risk for insurers. Depending on the nature of the service and the size of the outsourcing contract, outsourcing providers may not always indemnify their clients or provide details of their own risk avoidance policies for their customers to pass on to insurers. Insurance companies will often bite the bullet and insure an outsourcing customer anyway but working with a larger, more established outsourcing provider will definitely help, he adds.
Insuring against IT risk is still a relatively immature area but as regulators continue to badger board members about their corporate risk and internal controls, it may become an increasingly visible issue for companies. IT operations may already be at least partly insured in existing contracts but this isn’t something that IT directors will want to leave to chance.
If you would like further advice regarding IT insurance, please contact Tony Gibbs on 0118 9165480 or email firstname.lastname@example.org