Cyber Risk Insurance? 19
a little lethargic asks: "I work at a medium sized business (20-25 computer users, out of house web server, in-house Win2k profiles and file server, ADSL connection, firewalled, nightly tape backup - a pretty standard small business-type setup). Our insurance company's 'Technology Risk Group' is trying to get us to purchase 'Cyber Risk Insurance'. The minimum premium for their policies begins at Cd$3500. Management wants to know if we should consider this or not. Has anyone on Slashdot dealt with similar insurance issues and might they have experience or insight to share?"
"Here's the pitch, in their words:
Would you spend money obtaining such an insurance policy for your company?New risks have emerged as corporations rely more heavily on information networks and the internet to improve their competitive position, efficiency and quality of service. Corporate governance mandates that principal risks be identified and appropriately managed and senior management be held accountable for the systems put into place to address and mitigate their risks.
A few examples of these risks include:
- Third party lawsuits as a result of a privacy breach and a release of personal or confidential information including identity theft
- Copyright and trademark infringement claims stemming from corporate web sites
- Business interruption as a result of a security breach, virus or network interruption
- Breach of corporate network security policies by an employee..."
Disaster Recovery (Score:1)
Your network is small enough to be able to recover fast from any "cyber" risk. Provided that you have good backups and disaster recovery plan.
Re:Disaster Recovery (Score:2)
Unless you actively TEST the backups, insure them.
Re:Disaster Recovery (Score:2, Insightful)
An analysis (Score:4, Interesting)
Back up your data.
For the examples:
If you're keeping your client data outside the firewall, you're asking for trouble. Put it behind the firewall. Back up your data.
Copyright and trademark infringement is a realm best left to the corporate attorney.
Back up your data.
Network interruptions for the outside world are inevitable, though hopefully rare; if you loose internet connection frequently, change providers. Viruses and break-ins can be prevented by AV software and firewalls. Frankly, too, if your business relies solely or largely on a website, you should have an offsite mirror.
Back up your data.
A breach of network security from inside can be prevented, but it's not impossible to abate entirely. Odds are though they did it so they could get their Kazaa connection going.
Did I mention that you really, really should back up your data, by the way?
It's crucial (Score:2)
Read the fine print. (Score:2)
Always Self-Insure If You Can Afford To (Score:3, Insightful)
...is that, if it is possible for you to do so, it is always cheaper to insure yourself.
Large corporations do this all the time.
The only time you need to contract out for insurance for whatever is if you can't afford to absorb the loss and don't mind paying a premium for someone else to do it.
My advice?
Look again at the list of what they insure against.
Create a plan to assess and mitigate each of those risks yourself. Take some time to research things, perhaps even call in an expert consultant for a couple of days.
At the end of the day you'll have saved yourself a bunch of money and be more secure than you were before.
[Besides, I would expect the insurance company itself to come in and "insure" that best practices were being followed so as to decrease the likelihood that they'd ever have to pay out on a claim. Kind of like the provisions in life insurance policies where you need a physical exam, promise not to go hang-gliding or sky-diving, etc. before they actually issue you a policy.]
I would be afraid... (Score:2)
Many lawyers pile up many billable hours based on determining "reasonable" in every different case, and you damn betcha an insurance company has better lawyers than most companies.
No Brainer (Score:2)
You say no, the worst happens, you lose your job (or at least are very, very, very unpopular).
It aint your money.
What are you insuring? (Score:4, Insightful)
-Liability insurance (somebody sues you because of X)
-Accident insurance (a bad thing happens that costs a lot of money to fix)
You need to treat these separately. My take on it:
-You need some sort of liability insurance, particularly if you're dealing with americans (I say this as an american, and I am ashamed). This may be as simple as "kick-ass lawyers on retainer" or it may be a comprehensive liability insurance policy. Make sure that your liability policy covers computer-related events.
-You're going to get screwed on the accident insurance. There'll be words scattered throughout the policy that relieve the insurance company of liability if anyone at all can claim that it's your fault. Since there's -always- something else that you can do to protect yourself, you won't ever be covered if the shit hits the fan. Hire a good dedicated sysadmin (or several, if you can afford it) who has a good idea of industry best practices, including comprehensive recovery policies. Develop clear policies and procedures and run them past a technically-clued lawyer (yes, they do exist!) to ensure that you've covered privacy issues adequately. Once you have a disaster recovery plan, figure out how much it'll cost (yes, this means collaboration with the bean-counters), and convince the head boss to ensure that there's enough cash available to implement the disaster plan. If the cash isn't available, get insurance for at least that amount.
This work will cause a one-time cost hit that's probably more than $3500, but you'll know exactly what you're getting, and more importantly, you'll be getting something more than a hot-air promise from an insurance salesman. You'll actually make your business more stable and more attractive to clients and investors ("We have a comprehensive disaster recovery plan" makes big customers happy because they worry about what happens if your little company goes away). As a nice side effect, it'll probably lower your insurance premiums because you're a lower risk.
Don't do it (Score:2)
Get It (Score:2)
Not insurance... (Score:2)
Although self insurance in the form of dedicated consistant backups is preven
Probably not worth it. (Score:1)
Re:Litigation Insurance (Score:1)