Cyber Risk Insurance?

a little lethargic asks: "I work at a medium sized business (20-25 computer users, out of house web server, in-house Win2k profiles and file server, ADSL connection, firewalled, nightly tape backup - a pretty standard small business-type setup). Our insurance company's 'Technology Risk Group' is trying to get us to purchase 'Cyber Risk Insurance'. The minimum premium for their policies begins at Cd$3500. Management wants to know if we should consider this or not. Has anyone on Slashdot dealt with similar insurance issues and might they have experience or insight to share?" "Here's the pitch, in their words:

New risks have emerged as corporations rely more heavily on information networks and the internet to improve their competitive position, efficiency and quality of service. Corporate governance mandates that principal risks be identified and appropriately managed and senior management be held accountable for the systems put into place to address and mitigate their risks.

A few examples of these risks include:

- Third party lawsuits as a result of a privacy breach and a release of personal or confidential information including identity theft
- Copyright and trademark infringement claims stemming from corporate web sites
- Business interruption as a result of a security breach, virus or network interruption
- Breach of corporate network security policies by an employee..."

Would you spend money obtaining such an insurance policy for your company?

Re:Disaster Recovery

[cyber0ne]

Solely in terms of Disaster Recovery, I'd have to agree with the parent and suggest that any money that would go towards such insurance be better spent ensuring a good recovery plan. If something were to happen to the company's data, an insurance payoff is of little consolation when all it can do is replace damaged hardware, not recover lost data. If that same money is put towards a better recovery plan, then management can rest assured that, in the event of a loss of data, they can get it back quickly and with minimum interruption to the business.

As for the legal protection aspects of the insurance (lawsuits, copyright issues, etc.), I'd be skeptical that they may just be tossing out some buzz words to attract fearful managers who want to shield themselves from the evils of the modern Internet. If your company is at risk of being sued for such things, an insurance policy is not the answer. Fixing whatever is causing the risk would be a better approach.

Always Self-Insure If You Can Afford To

[4of12]

...is that, if it is possible for you to do so, it is always cheaper to insure yourself.

Large corporations do this all the time.

The only time you need to contract out for insurance for whatever is if you can't afford to absorb the loss and don't mind paying a premium for someone else to do it.

My advice?

Look again at the list of what they insure against.

Create a plan to assess and mitigate each of those risks yourself. Take some time to research things, perhaps even call in an expert consultant for a couple of days.

At the end of the day you'll have saved yourself a bunch of money and be more secure than you were before.

[Besides, I would expect the insurance company itself to come in and "insure" that best practices were being followed so as to decrease the likelihood that they'd ever have to pay out on a claim. Kind of like the provisions in life insurance policies where you need a physical exam, promise not to go hang-gliding or sky-diving, etc. before they actually issue you a policy.]

What are you insuring?

[beegle]

There are two types of insurance that they're offering you in this package:

-Liability insurance (somebody sues you because of X)

-Accident insurance (a bad thing happens that costs a lot of money to fix)

You need to treat these separately. My take on it:

-You need some sort of liability insurance, particularly if you're dealing with americans (I say this as an american, and I am ashamed). This may be as simple as "kick-ass lawyers on retainer" or it may be a comprehensive liability insurance policy. Make sure that your liability policy covers computer-related events.

-You're going to get screwed on the accident insurance. There'll be words scattered throughout the policy that relieve the insurance company of liability if anyone at all can claim that it's your fault. Since there's -always- something else that you can do to protect yourself, you won't ever be covered if the shit hits the fan. Hire a good dedicated sysadmin (or several, if you can afford it) who has a good idea of industry best practices, including comprehensive recovery policies. Develop clear policies and procedures and run them past a technically-clued lawyer (yes, they do exist!) to ensure that you've covered privacy issues adequately. Once you have a disaster recovery plan, figure out how much it'll cost (yes, this means collaboration with the bean-counters), and convince the head boss to ensure that there's enough cash available to implement the disaster plan. If the cash isn't available, get insurance for at least that amount.

This work will cause a one-time cost hit that's probably more than $3500, but you'll know exactly what you're getting, and more importantly, you'll be getting something more than a hot-air promise from an insurance salesman. You'll actually make your business more stable and more attractive to clients and investors ("We have a comprehensive disaster recovery plan" makes big customers happy because they worry about what happens if your little company goes away). As a nice side effect, it'll probably lower your insurance premiums because you're a lower risk.