Slashdot Mirror
Cyber Risk Insurance?
a little lethargic asks: "I work at a medium sized business (20-25 computer users, out of house web server, in-house Win2k profiles and file server, ADSL connection, firewalled, nightly tape backup - a pretty standard small business-type setup). Our insurance company's 'Technology Risk Group' is trying to get us to purchase 'Cyber Risk Insurance'. The minimum premium for their policies begins at Cd$3500. Management wants to know if we should consider this or not. Has anyone on Slashdot dealt with similar insurance issues and might they have experience or insight to share?"
"Here's the pitch, in their words:
New risks have emerged as corporations rely more heavily on information networks and the internet to improve their competitive position, efficiency and quality of service. Corporate governance mandates that principal risks be identified and appropriately managed and senior management be held accountable for the systems put into place to address and mitigate their risks.Would you spend money obtaining such an insurance policy for your company?
A few examples of these risks include:
- Third party lawsuits as a result of a privacy breach and a release of personal or confidential information including identity theft
- Copyright and trademark infringement claims stemming from corporate web sites
- Business interruption as a result of a security breach, virus or network interruption
- Breach of corporate network security policies by an employee..."
You need to consider the size of the business and the size of the network that is being insured.
Your network is small enough to be able to recover fast from any "cyber" risk. Provided that you have good backups and disaster recovery plan.
Back up your data.
For the examples:
If you're keeping your client data outside the firewall, you're asking for trouble. Put it behind the firewall. Back up your data.
Copyright and trademark infringement is a realm best left to the corporate attorney.
Back up your data.
Network interruptions for the outside world are inevitable, though hopefully rare; if you loose internet connection frequently, change providers. Viruses and break-ins can be prevented by AV software and firewalls. Frankly, too, if your business relies solely or largely on a website, you should have an offsite mirror.
Back up your data.
A breach of network security from inside can be prevented, but it's not impossible to abate entirely. Odds are though they did it so they could get their Kazaa connection going.
Did I mention that you really, really should back up your data, by the way?
This sig no verb.
I'd say that "cyber risk" insurance is at *least* as crucial as sherbert insurance.
May we never see th
This is a really tough question. $3500/year is inexpensive compared to many other operating expenses. The big question is: Does the policy provide any real protection? I have seen a few policies and the list of exception cases was greater then what was actually covered. Even in the event of a real claim there were enough loop holes that it was unlikely that Insurance agency would pay out. Loop holes such as vague descriptions of "proper procedures and safeguards." I have yet to see a policy that properly protects data. Part of the problem is that it is very hard to assign value to data. What is the value of a customer list? You have to compare the new policy to existing policies. Is there any overlap?
Every company is different. In order to determine if such a policy is good for your company you are going to have to read the policy fine print and asses if the policy protects against real threats to your bussiness.
I always wanted to make an open source lawsuit insurance company: pay me a little bit a year, use your Lunix and your Open Sores. In return I will:
:)
- Provide a warranty for certain pieces of OSS. I'm sure you've all seen this: "This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE." Well, this company would provide that warranty. Obviously they couldn't provide it for any piece of OSS, but there would be preset ones that were covered.
- Pay for (and win) any lawsuits that come your way for alleged IP infringement (SCO-style).
The problem I see with this company is that it runs off of FUD -- and as soon as people start to realize that Open Source software doesn't actually HAVE these problems, the less they will be inclined to buy this insurance. It's sort of self defeating. But I think I could sell it to a few companies nowadays and plan for it to go out of business in a few years. If I made it a non-profit that would make a lot of sense too, then I wouldn't have the incentive to generate more FUD or anything like that.
Well, I didn't end up making a comment about this particular insurance... oh well
...is that, if it is possible for you to do so, it is always cheaper to insure yourself.
Large corporations do this all the time.
The only time you need to contract out for insurance for whatever is if you can't afford to absorb the loss and don't mind paying a premium for someone else to do it.
My advice?
Look again at the list of what they insure against.
Create a plan to assess and mitigate each of those risks yourself. Take some time to research things, perhaps even call in an expert consultant for a couple of days.
At the end of the day you'll have saved yourself a bunch of money and be more secure than you were before.
[Besides, I would expect the insurance company itself to come in and "insure" that best practices were being followed so as to decrease the likelihood that they'd ever have to pay out on a claim. Kind of like the provisions in life insurance policies where you need a physical exam, promise not to go hang-gliding or sky-diving, etc. before they actually issue you a policy.]
"Provided by the management for your protection."
... of the insurance company attempting to weasel out of a claim following an attack/invasion, by saying that the flaw/sploit was something you should have "reasonably" known about and should have already fixed.
Many lawyers pile up many billable hours based on determining "reasonable" in every different case, and you damn betcha an insurance company has better lawyers than most companies.
"I may be synthetic, but I'm not stupid." -- Bishop 341-B
You say yes, the worst happens, you keep your job
You say no, the worst happens, you lose your job (or at least are very, very, very unpopular).
It aint your money.
There are two types of insurance that they're offering you in this package:
-Liability insurance (somebody sues you because of X)
-Accident insurance (a bad thing happens that costs a lot of money to fix)
You need to treat these separately. My take on it:
-You need some sort of liability insurance, particularly if you're dealing with americans (I say this as an american, and I am ashamed). This may be as simple as "kick-ass lawyers on retainer" or it may be a comprehensive liability insurance policy. Make sure that your liability policy covers computer-related events.
-You're going to get screwed on the accident insurance. There'll be words scattered throughout the policy that relieve the insurance company of liability if anyone at all can claim that it's your fault. Since there's -always- something else that you can do to protect yourself, you won't ever be covered if the shit hits the fan. Hire a good dedicated sysadmin (or several, if you can afford it) who has a good idea of industry best practices, including comprehensive recovery policies. Develop clear policies and procedures and run them past a technically-clued lawyer (yes, they do exist!) to ensure that you've covered privacy issues adequately. Once you have a disaster recovery plan, figure out how much it'll cost (yes, this means collaboration with the bean-counters), and convince the head boss to ensure that there's enough cash available to implement the disaster plan. If the cash isn't available, get insurance for at least that amount.
This work will cause a one-time cost hit that's probably more than $3500, but you'll know exactly what you're getting, and more importantly, you'll be getting something more than a hot-air promise from an insurance salesman. You'll actually make your business more stable and more attractive to clients and investors ("We have a comprehensive disaster recovery plan" makes big customers happy because they worry about what happens if your little company goes away). As a nice side effect, it'll probably lower your insurance premiums because you're a lower risk.
--
Sounds like a scam to me- especially that premium. WAY out of porportion to your potential liability; if your bosses are really hung up on needing insurance I suggest you open your own business, bid $500 less, and let the money accumulate in a bank account until something actually does happen.
SJW: a person who perceives an injustice, and while correcting it, commits a greater injustice.
Get it. $3,500 is a bargain for a business of your size. One virus, one black-hat, one ill-timed tape loss and your business could be dead in the water for hours, days, or weeks -- business interruption coverage for technical problems is essential for any business that substantially depends on their computers. It's important to do all you can to reduce your risk -- backups, best practices, etc., as others have named -- but we all know that these things fail sometimes, usually do to human error, and there's no sense in saying "you should have backed up!" as your business washes down the tubes.
I know virtually nothing about Aon, to say nothing of their Tech E&O coverage, so I can't say if they're any good. But the coverage on the whole is important to have. Do yourself a favor and recommend it to your boss, but also recommend that your boss talk not to Aon (they're not going to tell you what the flaws in the coverage are, or recommend competitors), and, for the love of god, not rely on Slashdot for business advice, but find yourself an independent insurance agent and talk to them, ideally one who knows Tech E&O. They're not married to one particular carrier, they'll be able to give you examples of how this can be useful, and they'll be able to get you the best deal. Who knows -- maybe they'll recommend against it?
I happen to be a licensed property and casualty insurance agent in the state of Virginia, though I don't work in the business anymore, but I've sold a lot of this coverage over the years, and even bought it for my own business. I recommend it strongly.
-Waldo Jaquith
It drives me nuts that the companies selling insurance call it insurance... It will not insure that nothing will happen, it is there 'just in case'. Just in case some moron cuts you off, just in case your computer gets wet, just in case a tornado throws a cow through your bedroom window and breaks your mothers tiarra sitting on your night stand ;). I was thrilled to find an insurance agent who calls it what it is, 'Just in case'.
Although self insurance in the form of dedicated consistant backups is prevention and in the long run is worth more than any amount of just in case you may recieve if something does go wrong, having some form of backup income, just in case, can alliviate the costs of reverting to backup.
Even if the funds your recieve only cover the costs of the techs salary for the time it takes them to bring your system back to last nights save, and covers one to two days loss of business caused directly from the misshap, then you are at least covered.
Expecting to gain some form of windfall just because shit happens and you feel you are due because of the stress it may have caused you in your buisiness is not practical.
So if you are going to buy 'insurance' find someone who calls it what it is and covers you for 'Just in case shit happens'.
flinging poop since 1969
I'd be HIGHLY skeptical about this. Insurance companies are notorius for weaseling or trying to weasel out of contracts. They look at every little detail to try to find a way not to pay out (from their greedy POV, of course right). Sometimes they have fague clauses that you could end up in court over. This type of insurance, to me, seems really shady. I'd get my mits on their contract and have an attorney look it over. One that deals with insurance claims and one that deals in IT/tech issues or something.
Asside from the shifty insurance companies, you have another problem. You will rely on your insurance and assume it will pay out. So your company will probably build "policy" on it. Dangeous if it won't pay out.
Another problem is even if it does pay out for say network outages, what will it pay? If your internet access it down for 2 days because some homeless man lit a fire and it melted the fiber under a bridge (happened in d/t Minneapolis about 8yrs ago) will it pay then? Will it make up for lost revenue from a network outage? Doubtful.
It's obviously worth looking into it, but $3500/yr seems a lot if it won't help when you need it.
You are free to do as we tell you.
We want your soul.
www.wewantyoursoul.com
If you are in the US, $3500 for insurance against litigation is cheap.
If someone sues you, drop it in the insurance company's lap, and let it worry about it.