It used to be that a small company's big insurance worry was whether its all the damages would really be covered if, say, its factory burned down. Information Age entrepreneurs face a tougher problem: to make sure they're covered if a hacker destroys their databases or software.

"Those intangible assets are just as valuable as anything you can lay your hands on," says Robert Hartwig, chief economist at the Insurance Information Institute. And there's the rub: How do you value them?

The international panic that hit on Mar. 26, when a lone hacker unleashed the notorious but relatively benign Melissa virus shows this is no abstract concern. Of 520 computer-security experts surveyed at U.S. corporations, government agencies, and universities last year, 64% reported security breaches, according to a joint Computer Security Institute and Federal Bureau of Investigation study. They valued the damage at more than $136 million.

Even insurers, firmly rooted in the nonvirtual world -- witness the concrete monoliths they pick as headquarters -- are beginning to adapt to the Cyber Age with policies covering losses from hackers, accidental data destruction, and lawsuits from third parties hurt when a company's computers malfunction. Some will even include computer-related damages in standard business policies -- though you'll have to penetrate a thicket of exceptions and deductibles to tell whether a policy fits your needs.

The first place to look for broad data and system protection is your "business interruption" coverage -- assuming it doesn't specifically exclude this area. Business interruption typically compensates for lost income and repair costs when disaster strikes. That might have covered damage from Melissa, which crippled business networks by replicating itself in E-mail systems. But to collect, you would have had to produce detailed records showing how Melissa -- or any virus, for that matter -- stymied your business, and how much the downtime cost you.

Some insurers just won't pay for this sort of problem, explains Lorelie Masters, an attorney in the Washington ( D.C.) office of Anderson, Kill & Olick. Many policies cover interruptions from "direct physical loss," which most insurers interpret to mean replacing your server if fire, electrical surge, or flood destroy it. They may not pay if a virus eats the data, leaving the box intact. And you're on your own when it comes to reconstructing lost information -- interruption policies rarely pay for that, even if the cause was physical.

One reason for the disconnect between modern business needs and policies is that insurers -- never big innovators -- are lagging behind a fundamental change in information-technology economics. "It used to be that when people considered the investment they made in information systems that they thought exclusively of hardware," says Mark MacGougan, assistant vice-president at Hartford Steam Boiler Inspection & Insurance Co., a Hartford (Conn.) Insurer. "Year after year, they're finding the hardware is less expensive, and the data is more valuable.

A few companies are starting to catch on. American International Group, Britain's Lloyd's, and Cigna Property & Casualty, Reliance National, a unit of Reliance Group Holdings, now offer anti-hacking policies. They're mainly aimed at large companies with huge electronic infrastructures, but they can also be written for smaller businesses. The policies fall into two categories: First-party insurance, which covers damages to your business, and third-party insurance, which covers the harm your computer problems cause someone else -- however inadvertently.

Cigna recently launched its Secure System Insurance, which covers three types of first-party losses from hackers and viruses: Theft of tangible property, such as money or securities; business interruption; and damage to data. The latter category includes the cost of reconstructing information. A $10 million policy runs between $20,000 and $25,000 per year, with the smallest available policy costing some $2,500 for $1 million in coverage. The standard deductible is around $5,000 for smaller policies.

An important catch: Cigna requires clients to undergo a computer-security audit before it will write the policy. Cigna's Nick Economidis cautions: "The assessment will cost more than the insurance, but if you haven't had an independent audit, you're not an insurable risk." The cost depends on the complexity of your system. This insurance only kicks in if the damage was malicious. You're stranded if a klutzy employee accidentally deletes vital info.

Reliance National (through broker InsureTrust.com) and Lloyd's offer anti-hacker and virus policies similar to Cigna's. While Lloyd's focuses on large corporations, InsureTrust is gunning for smaller companies, offering $5,000 premiums that buy $1 million in coverage.

Hartford Steam Boiler, along with Chubb Group, AIG, and St. Paul Cos. all offer some measure of data-recovery insurance -- but the basic policies only pay if your equipment is physically destroyed. Premiums vary wildly, but expect to pay at least $5,000-$10,000 per year for starting coverage of $1 million.

The dark side of the interconnected world is vulnerability to others' technical problems. There are so many new areas of potential liability -- many of which are likely to be tested in court before long -- that insurers now offer a range of so-called third-party policies, which pay legal costs when you're sued.

San Rafael (Calif.) insurance brokerage Costello & Sons Insurance now packages what it calls Multimedia Liability insurance, which covers Web publishers against copyright and intellectual property lawsuits. It pays off, for example, if a Web designer were to lift a copyrighted image or steal proprietary software code from a previous employer. For a minimum premium of $3,500 a year, you get $1 million in coverage with a $10,000 deductible.

Westport Insurance Corp. in Overland, Kan., sells electronic errors-and-omission policies designed to protect computer consultants and systems builders from lawsuits filed by dissatisfied clients. A $1,500 premium buys you $1 million in coverage with a $5,000 deductible.

InsurePoint, a Southern California company catering to high-tech startups, packages both coverages into one policy.

How to figure what coverage is best for you? Start by negotiating with your present insurer. You may be able to add computer-specific riders to your existing standard business interruption and liability policies. Before you agree to pay any new premiums, attorney Masters recommends that you ask some tough questions: Has the company paid cyber-claims before; does it cover first- and third-party damage or business interruption in this area; and does it pay for electronic-data recovery.

It's a good time to be shopping, says Hartwig, of the Insurance Information Institute. That's because business underwriting has become extremely competitive, he adds. In a networked world, insurers will have little choice but to expand their frame of reference beyond bricks and mortar.

By Dennis Berman in New York
Dennis_berman@businessweek.com

To: MANAGEMENT