Insuring Against Not-So-Sweet Melissa and Other Cyber Age Perils
Few underwriters appreciate that you care more about the data than the server it's on
It used to be that a small company's big insurance worry was whether its
all the damages would really be covered if, say, its factory burned down.
Information Age entrepreneurs face a tougher problem: to make sure they're
covered if a hacker destroys their databases or software.
"Those intangible assets are just as valuable as anything you can lay
your hands on," says Robert Hartwig, chief economist at the Insurance Information Institute. And there's the rub: How do you value them?
The international panic that hit on Mar. 26, when a lone hacker unleashed
the notorious but relatively benign Melissa virus shows this is no abstract
concern. Of 520 computer-security experts surveyed at U.S. corporations,
government agencies, and universities last year, 64% reported security
breaches, according to a joint Computer Security Institute and Federal
Bureau of Investigation study. They valued the damage at more than $136 million.
Even insurers, firmly rooted in the nonvirtual world -- witness the concrete monoliths they pick as headquarters -- are beginning to adapt to the Cyber Age with policies covering losses from hackers, accidental data destruction, and lawsuits from third parties hurt when a company's computers malfunction. Some will even include computer-related damages in standard business policies -- though you'll have to penetrate a thicket of exceptions and deductibles to tell whether a policy fits your needs.
The first place to look for broad data and system protection is your
"business interruption" coverage -- assuming it doesn't specifically exclude
this area. Business interruption typically compensates for lost income
and repair costs when disaster strikes. That might have covered damage
from Melissa, which crippled business networks by replicating itself in
E-mail systems. But to collect, you would have had to produce detailed
records showing how Melissa -- or any virus, for that matter -- stymied
your business, and how much the downtime cost you.
Some insurers just won't pay for this sort of problem, explains Lorelie
Masters, an attorney in the Washington ( D.C.) office of Anderson, Kill &
Olick. Many policies cover interruptions from "direct physical loss,"
which most insurers interpret to mean replacing your server if fire, electrical
surge, or flood destroy it. They may not pay if a virus eats the data,
leaving the box intact. And you're on your own when it comes to reconstructing
lost information -- interruption policies rarely pay for that, even if
the cause was physical.
One reason for the disconnect between modern business needs and policies
is that insurers -- never big innovators -- are lagging behind a fundamental
change in information-technology economics. "It used to be that when people
considered the investment they made in information systems that they thought
exclusively of hardware," says Mark MacGougan, assistant vice-president
at Hartford Steam Boiler Inspection & Insurance Co., a Hartford (Conn.)
Insurer. "Year after year, they're finding the hardware is less expensive,
and the data is more valuable.
A few companies are starting to catch on. American International
Group, Britain's Lloyd's, and Cigna Property & Casualty,
Reliance National, a unit of Reliance Group Holdings, now offer anti-hacking policies. They're mainly aimed at large companies with huge electronic infrastructures, but they can also be written for smaller businesses. The policies fall into two categories: First-party insurance, which covers damages to your business, and third-party insurance, which covers the harm your computer problems cause someone else -- however inadvertently.
Cigna recently launched its Secure System Insurance, which covers
three types of first-party losses from hackers and viruses: Theft of tangible
property, such as money or securities; business interruption; and damage
to data. The latter category includes the cost of reconstructing information.
A $10 million policy runs between $20,000 and $25,000 per year, with the
smallest available policy costing some $2,500 for $1 million in coverage.
The standard deductible is around $5,000 for smaller policies.
An important catch: Cigna requires clients to undergo a computer-security
audit before it will write the policy. Cigna's Nick Economidis cautions:
"The assessment will cost more than the insurance, but if you haven't had
an independent audit, you're not an insurable risk." The cost depends on
the complexity of your system. This insurance only kicks in if the damage
was malicious. You're stranded if a klutzy employee accidentally deletes
Reliance National (through broker InsureTrust.com) and Lloyd's offer
anti-hacker and virus policies similar to Cigna's. While Lloyd's focuses
on large corporations, InsureTrust is gunning for smaller companies, offering
$5,000 premiums that buy $1 million in coverage.
Hartford Steam Boiler, along with Chubb Group, AIG, and St. Paul
Cos. all offer some measure of data-recovery insurance -- but the
basic policies only pay if your equipment is physically destroyed. Premiums
vary wildly, but expect to pay at least $5,000-$10,000 per year for starting
coverage of $1 million.
The dark side of the interconnected world is vulnerability to others'
technical problems. There are so many new areas of potential liability
-- many of which are likely to be tested in court before long -- that insurers
now offer a range of so-called third-party policies, which pay legal
costs when you're sued.
San Rafael (Calif.) insurance brokerage Costello & Sons Insurance
now packages what it calls Multimedia Liability insurance, which covers
Web publishers against copyright and intellectual property lawsuits. It
pays off, for example, if a Web designer were to lift a copyrighted image
or steal proprietary software code from a previous employer. For a minimum
premium of $3,500 a year, you get $1 million in coverage with a $10,000
Westport Insurance Corp. in Overland, Kan., sells electronic errors-and-omission policies designed to protect computer consultants and systems builders from lawsuits filed by dissatisfied clients. A $1,500 premium buys you $1 million in coverage with a $5,000 deductible.
InsurePoint, a Southern California company catering to high-tech
startups, packages both coverages into one policy.
How to figure what coverage is best for you? Start by negotiating with
your present insurer. You may be able to add computer-specific riders to
your existing standard business interruption and liability policies. Before
you agree to pay any new premiums, attorney Masters recommends that you
ask some tough questions: Has the company paid cyber-claims before; does
it cover first- and third-party damage or business interruption in this
area; and does it pay for electronic-data recovery.
It's a good time to be shopping, says Hartwig, of the Insurance Information
Institute. That's because business underwriting has become extremely competitive, he adds. In a networked world, insurers will have little choice but to expand their frame of reference beyond bricks and mortar.
By Dennis Berman in New York