Risky Business

Risky Business

Recent high-profile Internet attacks and security breaches have rekindled a debate over the value of yet another business cost — that of cyber insurance. Commonly referred to as network intrusion insurance, cyber insurance protects companies from digital losses not included in most business insurance polices, including those stemming from hacker attacks, computer viruses, cyberterrorism, and intellectual property theft.

The risk of security breach is high, according to the Computer Security Institute, which found in a 2002 survey that 90% of large corporations and government agencies polled had experienced breaches in the preceding 12 months. “We see hundreds of threats a month now. We saw only five or six a month, a few years ago,” says Ron Michalak, director of marketing for security solutions provider Internet Security Systems Inc. A few threats have made major headlines: In January 2003, the SQL (pronounced sequel) Slammer worm slowed Internet traffic globally and knocked out power to many ATMs in the United States. A month later, a hacker gained access to millions of Visa and MasterCard account numbers after a security breach at a company that processes merchant transactions.

But while hacker insurance sounds good, many companies are forced to weigh the risks with the costs. With policies ranging from about $5,000 annually for small companies to more than $50,000 for enterprises, some firms simply can’t justify the purchase in a tight economy. This is particularly true, now, when “a lot of companies have budgets cut,” says Steven Haase, CEO of Atlanta-based INSUREtrust.com L.L.C. Haase offers the insurance through underwriters Lloyds of London and Liberty Mutual Insurance Company. Other major underwriters of cyber insurance include American International Group Inc., Marsh Inc., Zurich North America, and St. Paul Companies Inc.

But getting cyber insurance isn’t simply a matter of signing up. Firms applying for cyber insurance must typically undergo a security assessment. And some cyber insurance agents offer a discount if the company agrees to use certain security tools or services, similar to the breaks offered to home insurance policyholders who use home security services.

So far, $100 million to $200 million worth of premiums have been sold, says Robert Hartwig, chief economist with the Insurance Information Institute. Hartwig once predicted the industry would reach $2.5 billion in premiums by 2005, but he now believes it will only reach $400 million. “Many [companies] don’t believe they’re likely to suffer serious losses in the event of an attack,” he says. “Some just don’t want to pay the extra premium.”