[ISN] Can you afford to lose your data?

InfoSec News isn at c4i.org
Fri Nov 18 02:14:26 EST 2005


http://www.theglobeandmail.com/servlet/story/RTGAM.20051117.wsrcyberinsur17/BNStory/Business/

By GRANT BUCKLER 
November 17, 2005
Thursday's Globe and Mail

A fire in your company's data centre destroys computers and data
critical to your business. Your property insurance probably covers the
wrecked equipment and the value of the data it contained.

But if the same data is lost due to a computer virus or a hacker
attack -- or if a customer sues you because private data was
accidentally made public -- chances are you are not covered.

Though more and more of the information on which businesses depend is
kept in electronic form, and the risks to that data are numerous and
well publicized, the insurance industry has paid relatively little
attention so far to protecting customers against losses due to
computer viruses, hackers, programming errors and catastrophic system
failures.

"The industry has pretty much languished over how to deal with the
whole idea of property loss over data," says Michael McQuaid,
vice-president of corporate risk at insurance broker Insurers
Financial Group in Richmond Hill, Ont.

You can purchase special insurance designed to protect your business
against data loss and related risks. But getting the best deal on such
insurance -- or getting it at all -- requires that you understand the
value of your data and the risks you face and that you take proper
precautions to guard against system break-ins, viruses and data
falling into the wrong hands.

Standard commercial property insurance usually covers data loss that
results from loss or damage to physical property covered by the
policy. So if a computer room is destroyed in a fire or flood, the
equipment and the data it contains is covered -- but not otherwise.  
"You must have physical loss to tangible property," Mr. McQuaid says.

Most property insurance policies today make this explicit by excluding
data unless it is lost due to a "named peril," like a fire or flood.

One way around this is to persuade your insurer to "endorse" your
policy to remove the data exclusion. But Mr. McQuaid says relatively
few insurers are willing to add such endorsements to property policies
today.

You can, however, purchase standalone insurance against data loss or
misuse.

American International Group Inc. of New York offers Information Asset
Coverage that will pay the cost of restoring lost data from backups
or, if that can't be done, the cost of reconstructing the data,
however possible. It also covers the cost of lost business due to loss
of data.

Designed for companies with $10-million or more in annual revenues,
policies are available with coverage limits from $1-million to
$25-million (U.S.) per incident, up to a maximum of $25-million (U.S.)  
for the life of the policy, says Nick Economidis, vice-president and
product manager for technology at AIG.

Chubb Insurance Co. of Canada in Toronto launched a product in April
that protects against viruses, theft of proprietary information and
unauthorized access to data. Depending on the amount of coverage
purchased, policies will pay claims of up to $1-million for incidents
caused by factors inside the insured company and up to $10,000 per
occurrence to a $50,000-per-year maximum for incidents caused by
outside factors.

The more restricted payouts for incidents caused by outside factors
are because such incidents -- like virus attacks -- could lead to
claims from many policy holders at the same time, says Andrew Steen,
vice-president of technology insurance specialty at Chubb Canada.

Rosaleen Citron, chief executive at WhiteHat Inc., a Burlington, Ont.,
computer security management company, says too few companies think
about insuring their data. Many take the attitude that, if attacked,
they will simply absorb the cost, she says, but that is a risky
strategy. "If I were a big company, I would certainly be looking at
cyber-insurance."

However, it's not as simple as just buying a policy.

The first issue is: What insurance do you need? And that depends on
the value of the data and the risk. Putting a value on data is tricky,
Mr. McQuaid says, but it ultimately comes down to what it would cost
your business if the data were lost. Would the loss be a day's sales?  
A six-month delay in launching a new product? Half your customers
switching to the competition? Would the business even survive if
certain data were lost? And how would you recreate the data?

Having assessed the risks as best you can, the next step is to do
everything possible to guard against them. Aside from the fact that
insurance money can't really compensate for loss of critical business
data, you may not even get insurance if you haven't taken reasonable
security precautions, and you will probably pay less if your security
practices are sound.

The exact requirements vary from one organization to another, but the
basics include an accepted standard of network security, clearly
stated and regularly updated security policies, prompt installation of
critical software updates and encryption of sensitive data.

You may also need to look at contracts with other companies, Mr.  
McQuaid suggests -- those that have access to your data as part of
services they provide to you, for instance. Are those partners taking
adequate precautions? And who is responsible if your data is lost or
improperly disclosed due to an error on their part?

In evaluating an applicant's security protection, insurers often look
at an International Standards Organization standard called ISO 17799.  
"That basically is a framework which defines best practices for
network security," says Narender Mangalam, director of network
security and underwriting at AIG.

ISO 17799 does not tell you exactly what to do, notes Tom Slodichak,
chief security officer at WhiteHat. It outlines a number of areas,
such as physical security, access controls and encryption. Calling it
"a very high standard," Mr. Mangalam says AIG treats ISO 17799 as a
guideline, not a list of must-have items.

The quality of a company's security protection determines not just
whether it's eligible for insurance but what coverage it can get at
what cost. Mr. Economidis says AIG's underwriters use a rating system
to determine what premiums a client pays. Mr. Steen says Chubb offers
a minimum level of coverage to all customers, but "more coverage would
be available and at a more cost-effective price" for those with better
security in place.

Charles Salameh, president of Bell Security Solutions Inc., a unit of
Bell Canada that provides security consulting services to businesses,
says a company that does computer security well can save 3 to 5 per
cent on insurance premiums. "It's no different than driving for six
years without getting into an accident," Mr. Salameh says.

BSSI, which assesses potential insurance clients' computer-security
risks for Itasca, Ill.-based insurance firm Arthur J. Gallagher & Co.,
also provides consulting services to help companies seeking insurance
against data loss and network intrusions get better deals.

Options for insuring data are limited but increasing.

"I do believe the market will step up to this," Mr. McQuaid says.  
Either standard property policies will include more coverage for data
loss, he predicts, or a wider range of specialized policies will
become available.





More information about the ISN mailing list