Bankrate.com
News & Advice Compare Rates Calculators
Rate Alerts  |  Glossary  |  Help
Mortgage Home
Equity		 Auto CDs &
Investments		 Retirement Checking &
Savings		 Credit
Cards		 Debt
Management		 College
Finance		 Taxes Personal
Finance

Hacking insurance may seem useless --
until someone shreds your network's security
By Jay MacDonald • Bankrate.com

Hacking insurance can protect your networkEach time a hacker pulls off an electronic heist such as the one that happened earlier this year to eBay.com, or simply disrupts commerce with a "Love Bug" or similar virus, inquiries flood in to the burgeoning Web insurance industry.

During the past three years, a handful of bullish cyber-insurers began offering coverage for a variety of e-commerce risks, including theft, damage or disclosure of data, denial of service, theft of intellectual property, unauthorized access, loss of revenue, and infringement of copyright and trademark.

For annual premiums starting as low as $5,000, you can be insured against sabotage from either side of your firewall by the likes of Lloyd's of London, Chubb, Cigna and AIG -- if your Web security measures up to their underwriting standards.

The irony is, if you can qualify for cyber-insurance, you probably won't need it. By linking their Web insurance policies to risk management processes and high security standards, insurance underwriters are betting they can keep you online -- and out of court.

- advertisement -

Hackers? What hackers?
If you are under the impression that cyber-piracy is a rare and random occurrence, think again. "The 2000 Computer Crime and Security Survey," conducted by the Computer Security Institute of San Francisco with the Bay Area's Federal Bureau of Investigation Computer Intrusion Squad, polled 643 security practitioners. It found that:

  • 90 percent had detected cyber-attacks within the past year.
  • 70 percent reported serious security breaches, including theft of proprietary information, financial fraud, system penetration from outside, denial of service attacks, and sabotage of data or networks.
  • 75 percent acknowledged financial losses due to computer breaches.
  • 42 percent (273 respondents) were willing or able to quantify the losses, a total of $266 million.

Emily Freeman, practice leader for e-business risk solutions with Marsh Inc., a San Francisco-based e-insurance broker, says most hacking still goes unreported for very sound business reasons.

"There is a lot of fallout that happens from Web incidents beyond just the hacking: litigation, fallout from customers, loss of contracts, issues with your brand," she says. "They can have a major impact on revenues, customer confidence, brand reputation and investor confidence."

Larry Harb, sales and marketing director for WiSPManagers.com of Okemos, Mich., an online Web insurance underwriter, agrees.

"Getting hacked is like being raped; nobody wants to talk about it," he says. "It goes unreported all the time because people are sweeping things under the carpet right now. The good news is, it's being low-keyed; the bad news is, it's being low-keyed. Because to bring it up, you risk business degradation."

You mean I'm not covered?
So far, very few businesses have obtained Web insurance. Many believe their traditional business coverage will suffice, or failing that, their Web host or ISP will cover damages. In both cases, they're probably wrong. Unless your business insurance policy or Internet service level agreement specifically includes language addressing e-commerce liability, you can bet you'll have an uphill fight to collect.

"Traditional business insurance never contemplated meeting and communicating electronically," says Steve Haase, CEO of INSUREtrust, an Atlanta-based Web insurer. "It is more of a brick-and-mortar approach that deals with bodily damage and property damage, those sorts of things. We had to create a suite of solutions that dealt with all the other kinds of damages that can occur when you're utilizing the Internet and conducting business through e-commerce."

To say that Web insurers have had a tough sell, especially among smaller businesses, is putting it mildly.

Certainly cost is a factor; many small businesses will roll the dice and self-insure rather than ante up $5,000-plus a year. But far more daunting is the prospect of bringing your site security up to the level that underwriters demand.

"The problem you run into with insuring smaller companies is they do not want to spend the money on security," says Harb. "Aunt Millie's Jam doesn't want to spend the money on security. People who think they can go out and open up a Web site for $19.95 a month and start doing business and taking credit cards is scary. That person is very much at risk."

And unfortunately, it is the smaller online businesses that most need the coverage.

"Very definitely," Haase says. "The very large companies, if they get sued, could handle that suit internally. But a smaller company could be devastated by a suit or a loss of data."

Risky business
Shopping for Web insurance is like shopping for auto insurance.

First-party coverage, similar to your automobile collision policy, covers lost data, lost network resources and damages that prevent you from generating revenue if your Web site, figuratively speaking, hits a tree.

Third-party coverage, similar to an auto liability policy, covers you if your company is sued. This could result if your site is down and customers can't gain access, private data becomes public, you send out a virus that damages other networks, or your company is held to be negligent because you didn't have policies and procedures in place.

If driving the information superhighway uninsured is risky for a business, it is equally challenging for insurance underwriters because there is no history or track record on e-commerce damages yet.

Insurers can estimate a company's exposure in many ways: Do you sell business-to-business or business-to-consumer? Are you a virtual business or a "brick-to-click" company with Main Street outlets? How many credit card numbers do you retain in your database? Is your product high-risk or low-risk?

However, insurers cannot predict what the damage might be from court litigation. What they suspect, based on this year's eBay credit card hack, is that court awards could be huge.

To mitigate their exposure to this great unknown, most insurers team with third-party risk management companies to assess your Web security before they will insure you.

Here's how three Web insurers manage the risk:

  • Net Secure, offered by Marsh, underwrites policies based on an application and free Web site security self-assessment at its Web site, evaluated online by partner IBM. Your business must score better than 60 percent or contract with a Net Secure risk management provider to shore up your perimeter. Coverage cost begins at $5,000 a year for $1 million of coverage. Risk management outsourcing cost begins at $15,000 annually.
  • WiSP (Web Insurance & Security Program), offered by WiSPManagers.com (formerly J.S. Wurzler Underwriting Managers Inc.), requires a security assessment beginning at $1,000. "They do perimeter checks to see whether they can get in and how long it takes them," says Harb. "You can call it the ethical hack." Coverage cost begins at $6,000 a year; average annual premiums run $36,000 for $1 million coverage.
  • Insuretrust offers a small-business solution for $5,000 to $10,000 a year without an assessment. For larger companies, an onsite security assessment starting at $8,000 is required; annual premiums run $10,000 to $20,000.

Meeting rising demand
Nobody expects small or even mid-size companies to love the idea of insuring their Web site. For most, it's a costly solution to a problem they aren't convinced they have. Still, with every passing virus or e-bank robbery, more and more shareholders become aware of -- and make CEOs very nervous about -- the potential for e-calamity.

Freeman says the cost of working with a risk management provider to get Web insurance is a bargain compared to hiring an Information Services manager and building the infrastructure yourself.

"This technology is not bulletproof," she says. "Security is only one of the risks of cyberspace, but it's a biggie and it just doesn't go away by waving a magic wand of technology. These are business risks and they need to be managed as such."

Harb says his brick-to-click clients have been quickest to grasp the need for Web insurance.

"If you have multiple stores, your Web site has just become your largest store. You wouldn't open your largest store without thinking about insuring it."

Would you?

Jay MacDonald is a contributing editor based in Florida
To comment on this story, please e-mail the Bankrate.com editors

-- Posted: June 1, 2000
top of page
30 yr fixed mtg 5.17%
48 month new car loan 6.76%
1 yr CD 2.55%
Alerts
More good stuff
Small-business glossary
Small business archives
Find the best business account rates
Calculate your key business ratios
Business credit card rates
Business basics: easy guides to success
Economic statistics and interest rates
E-mail the SmallBiz Adviser
ADVERTISER LINKS
   
 
   
 
   
 
   
 
   
 
   
Calculators
Current ratio calculator
Quick ratio calculator
Debt to assets ratio calculator
Return on assets calculator
Gross profit margin calculator

Operating profit percentage calculator
Buy our book
Your Financial Action Plan
Learn more
- advertisement -
 
- advertisement -
News & Advice | Compare Rates | Calculators
Mortgage | Home Equity | Auto | Investing | Checking & Savings | Credit Cards | Debt Management | College Finance | Taxes | Personal Finance
About Bankrate | Privacy | Online Media Kit | Partnerships | Investor Relations | Press/Broadcast | Contact Us | Sitemap
NASDAQ: RATE | RSS Feeds | Order Rate Data | Bankrate Canada | Bankrate China

* Mortgage rate may include points. See rate tables for details. Click here.
* To see the definition of overnight averages click here.

Bankrate.com ®, Copyright © 2009 Bankrate, Inc., All Rights Reserved, Terms of Use.

Bankrate Privacy Policy