Cyber Risk Insurance?

a little lethargic asks: "I work at a medium sized business (20-25 computer users, out of house web server, in-house Win2k profiles and file server, ADSL connection, firewalled, nightly tape backup - a pretty standard small business-type setup). Our insurance company's 'Technology Risk Group' is trying to get us to purchase 'Cyber Risk Insurance'. The minimum premium for their policies begins at Cd$3500. Management wants to know if we should consider this or not. Has anyone on Slashdot dealt with similar insurance issues and might they have experience or insight to share?"

"Here's the pitch, in their words:

New risks have emerged as corporations rely more heavily on information networks and the internet to improve their competitive position, efficiency and quality of service. Corporate governance mandates that principal risks be identified and appropriately managed and senior management be held accountable for the systems put into place to address and mitigate their risks.

A few examples of these risks include:

- Third party lawsuits as a result of a privacy breach and a release of personal or confidential information including identity theft
- Copyright and trademark infringement claims stemming from corporate web sites
- Business interruption as a result of a security breach, virus or network interruption
- Breach of corporate network security policies by an employee..."

Would you spend money obtaining such an insurance policy for your company?

Disaster Recovery

[Itsik]

You need to consider the size of the business and the size of the network that is being insured.
Your network is small enough to be able to recover fast from any "cyber" risk. Provided that you have good backups and disaster recovery plan.

Re:Disaster Recovery

[Creepy Crawler]

Then the time of recovery should be insured.

Unless you actively TEST the backups, insure them.

Re:Disaster Recovery

[cyber0ne]

Solely in terms of Disaster Recovery, I'd have to agree with the parent and suggest that any money that would go towards such insurance be better spent ensuring a good recovery plan. If something were to happen to the company's data, an insurance payoff is of little consolation when all it can do is replace damaged hardware, not recover lost data. If that same money is put towards a better recovery plan, then management can rest assured that, in the event of a loss of data, they can get it back quickly an

An analysis

[dacarr]

The "corporate governance" line - last I checked, that assumes your company has procedures in place that would do exactly that.

Back up your data.

For the examples:

If you're keeping your client data outside the firewall, you're asking for trouble. Put it behind the firewall. Back up your data.

Copyright and trademark infringement is a realm best left to the corporate attorney.

Back up your data.

Network interruptions for the outside world are inevitable, though hopefully rare; if you loose internet connection frequently, change providers. Viruses and break-ins can be prevented by AV software and firewalls. Frankly, too, if your business relies solely or largely on a website, you should have an offsite mirror.

Back up your data.

A breach of network security from inside can be prevented, but it's not impossible to abate entirely. Odds are though they did it so they could get their Kazaa connection going.

Did I mention that you really, really should back up your data, by the way?

It's crucial

[0x0d0a]

I'd say that "cyber risk" insurance is at *least* as crucial as sherbert [sluggy.com] insurance [sluggy.com].

Read the fine print.

[Bishop]

This is a really tough question. $3500/year is inexpensive compared to many other operating expenses. The big question is: Does the policy provide any real protection? I have seen a few policies and the list of exception cases was greater then what was actually covered. Even in the event of a real claim there were enough loop holes that it was unlikely that Insurance agency would pay out. Loop holes such as vague descriptions of "proper procedures and safeguards." I have yet to see a policy that properly p

Always Self-Insure If You Can Afford To

[4of12]

...is that, if it is possible for you to do so, it is always cheaper to insure yourself.

Large corporations do this all the time.

The only time you need to contract out for insurance for whatever is if you can't afford to absorb the loss and don't mind paying a premium for someone else to do it.

My advice?

Look again at the list of what they insure against.

Create a plan to assess and mitigate each of those risks yourself. Take some time to research things, perhaps even call in an expert consultant for a couple of days.

At the end of the day you'll have saved yourself a bunch of money and be more secure than you were before.

[Besides, I would expect the insurance company itself to come in and "insure" that best practices were being followed so as to decrease the likelihood that they'd ever have to pay out on a claim. Kind of like the provisions in life insurance policies where you need a physical exam, promise not to go hang-gliding or sky-diving, etc. before they actually issue you a policy.]

I would be afraid...

[DynaSoar]

... of the insurance company attempting to weasel out of a claim following an attack/invasion, by saying that the flaw/sploit was something you should have "reasonably" known about and should have already fixed.

Many lawyers pile up many billable hours based on determining "reasonable" in every different case, and you damn betcha an insurance company has better lawyers than most companies.

No Brainer

[fozzmeister]

You say yes, the worst happens, you keep your job

You say no, the worst happens, you lose your job (or at least are very, very, very unpopular).

It aint your money.

What are you insuring?

[beegle]

There are two types of insurance that they're offering you in this package:

-Liability insurance (somebody sues you because of X)

-Accident insurance (a bad thing happens that costs a lot of money to fix)

You need to treat these separately. My take on it:

-You need some sort of liability insurance, particularly if you're dealing with americans (I say this as an american, and I am ashamed). This may be as simple as "kick-ass lawyers on retainer" or it may be a comprehensive liability insurance policy. Make sure that your liability policy covers computer-related events.

-You're going to get screwed on the accident insurance. There'll be words scattered throughout the policy that relieve the insurance company of liability if anyone at all can claim that it's your fault. Since there's -always- something else that you can do to protect yourself, you won't ever be covered if the shit hits the fan. Hire a good dedicated sysadmin (or several, if you can afford it) who has a good idea of industry best practices, including comprehensive recovery policies. Develop clear policies and procedures and run them past a technically-clued lawyer (yes, they do exist!) to ensure that you've covered privacy issues adequately. Once you have a disaster recovery plan, figure out how much it'll cost (yes, this means collaboration with the bean-counters), and convince the head boss to ensure that there's enough cash available to implement the disaster plan. If the cash isn't available, get insurance for at least that amount.

This work will cause a one-time cost hit that's probably more than $3500, but you'll know exactly what you're getting, and more importantly, you'll be getting something more than a hot-air promise from an insurance salesman. You'll actually make your business more stable and more attractive to clients and investors ("We have a comprehensive disaster recovery plan" makes big customers happy because they worry about what happens if your little company goes away). As a nice side effect, it'll probably lower your insurance premiums because you're a lower risk.

Don't do it

[Marxist Hacker 42]

Sounds like a scam to me- especially that premium. WAY out of porportion to your potential liability; if your bosses are really hung up on needing insurance I suggest you open your own business, bid $500 less, and let the money accumulate in a bank account until something actually does happen.

Get It

[waldoj]

Get it. $3,500 is a bargain for a business of your size. One virus, one black-hat, one ill-timed tape loss and your business could be dead in the water for hours, days, or weeks -- business interruption coverage for technical problems is essential for any business that substantially depends on their computers. It's important to do all you can to reduce your risk -- backups, best practices, etc., as others have named -- but we all know that these things fail sometimes, usually do to human error, and there

Not insurance...

[howman]

It drives me nuts that the companies selling insurance call it insurance... It will not insure that nothing will happen, it is there 'just in case'. Just in case some moron cuts you off, just in case your computer gets wet, just in case a tornado throws a cow through your bedroom window and breaks your mothers tiarra sitting on your night stand ;). I was thrilled to find an insurance agent who calls it what it is, 'Just in case'.
Although self insurance in the form of dedicated consistant backups is preven

Probably not worth it.

[RungeKutta]

I'd be HIGHLY skeptical about this. Insurance companies are notorius for weaseling or trying to weasel out of contracts. They look at every little detail to try to find a way not to pay out (from their greedy POV, of course right). Sometimes they have fague clauses that you could end up in court over. This type of insurance, to me, seems really shady. I'd get my mits on their contract and have an attorney look it over. One that deals with insurance claims and one that deals in IT/tech issues or someth

Re:Litigation Insurance

[RungeKutta]

Assuming that this insurance really does protect you from all litigation for only $3500/yr. It still doesn't really protect you from it, all it means is the insurance company will do is reimburse you for your loses that you agreed to ahead of time in the contract. I'm no lawyer and certainly not an insurance agent, but I'd be very suprised if $3500/yr gave you absolute protection against being sued (reimbursed). I doubt their attorneys are going to be yours -- wouldn't want them they're probably not spec