Cyber insurance supplements, not replaces, data breach security

By Colin Steele, Features Writer 26 Jun 2007 | SearchSecurityChannel.com

Channel News Update Digg This!     StumbleUpon     Del.icio.us

Insurance providers are seeing more demand for privacy breach policies -- known as "cyber insurance" in the technology world – as a way to protect end-user companies from penalties following highly publicized data breaches and the financial tolls they have taken on the companies whose data are breached.

But channel companies should not take that as a knock against their products or services, according to Robert Scott, a partner with Dallas-based Scott and Scott, which advises businesses on legal and technical issues. Scott recommends that all his clients get privacy breach policies to supplement their existing security plans.

The purchase of a cyber insurance policy does not mean that a client is dissatisfied with the security products and services purchased from value-added resellers (VARs), systems integrators (SIs) and managed service providers (MSPs).

"Regardless of the strength of your system, you're going to have a high percentage of companies suffering data breaches,"

It's not the be-all and end-all strategy. It's one tool in the tool chest. It certainly is not a silver bullet. Robert Scott partner, Scott and Scott

Scott said. Most breaches are caused by a physical breach, like an employee losing a laptop, not a stereotypical attack from outside.

There are two ways that VARs, SIs, MSPs and even direct-to-market vendors can avoid being held liable for breaches themselves.

First, they can try to include a disclaimer during contract negotiations with clients, so they're not liable even if the worst should happen.

But in cases where customers refuse to sign, channel companies that do assume risk have their own insurance option: It's called an "errors and omissions" or "professional liability" policy, and it prevents their clients from seeking damages against them in case of a data breach. Some clients won't even do business with channel companies or vendors that don't have such a policy.

"It's starting to show up in more and more contracts but is typically not required," said Steve Haase, CEO of INSUREtrust, an Atlanta-based cyber insurance brokerage.

The price of those policies depends on the size of the vendor or channel company and the level of coverage desired. But they typically run between $25,000 and $50,000 per million dollars of coverage for large policyholders, and between $15,000 and $20,000 for smaller ones, said Patrick Donnelly, co-managing director of professional risk solutions for Aon Financial Services Group.

Insurance providers are not seeing the same large increase in demand for those policies because they have existed for decades, and many clients require VARs, SIs and vendors to purchase those policies before entering into any contracts, according to Nick Economidis, vice president and product manager for AIG's National Union Fire Insurance.

For end-user businesses and organizations, purchasing cyber insurance is not so cut-and-dried. Although most policies cover the crisis management costs of a data breach -- public relations expenses, consumer notification and free credit monitoring, and legal defense and liability -- they will not pay for lost intellectual property.

"There's no fair way to value it," Economidis said.

They also don't cover the immeasurable cost of restoring the public's confidence in a company.

"Perhaps the biggest damage can be to reputation," Donnelly said. "Insurance companies won't be able to help with that issue."

Most privacy breach policies follow the same price scale as errors and omissions policies, Donnelly said. Clients can add on extra coverage, like for losses caused by rogue employees or breaches that occur via mobile devices, but each of those comes with a higher price tag, Haase said.

Still, Haase said cyber insurance for the most part is not cost-prohibitive. Some of his clients have purchased $10 million in

More cyber insurance resources Cyber insurance 101: What it is, what to watch for Where's the cybersecurity coverage these days? Just in case: When all else fails, there's cyber insurance

coverage this year for what would have gotten them only $5 million in coverage last year, he said. And he expects premiums to stay on the decline as more providers and brokers enter the market.

Even if price is not a obstacle, there can be others -- like finding a company to underwrite a policy in the first place. Providers examine potential clients' policies and systems for data protection before deciding whether or not to insure them.

National Union Fire Insurance, for example, has 11 criteria that potential policyholders must meet to purchase insurance. The company looks at everything from virus protection and firewalls to access controls and incident response before making a determination, Economidis said.

Just about 20% of businesses and organizations have some sort of cyber insurance now, but Haase expects that to increase as prices go down and the breadth of coverage expands.

"Eventually this coverage will be a standard purchase by most businesses," he said.

Let us know what you think about this story; email: Colin Steele, features writer.

Tags: Data breach and leak prevention,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security solution provider business management Managed security service provider guide Microsoft-IBM competition fuels SMB, midmarket channel opportunities How channel partners can profit from security vendor consolidation EMC announces enhanced partner program McAfee and Extreme Networks partner for secure networking Zecurion launches new channel partner program SonicWall to offer cloud-based antispam service Microsoft Partner Network allows for better customer relationships MSPAlliance accreditation programs vet managed services firms and practitioners Survey: Financial services sector may soon start spending on security Data breach and leak prevention Getting to know the NERC CIP standards Data protection fueled by data leakage prevention products and services Data breach prevention techniques: Helping customers avoid data breaches Security solution providers find new opportunities amid bleak economy What are the best data leakage prevention strategies for my clients? Data security: Alternatives to data leak prevention Pair data leak prevention product sales with consulting services Data leak prevention: Finding data before it's lost Data leak prevention strategies for security service providers Government security breaches bring work to channel

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary