Data Insurance

Getting Insured

Currently, data insurance mostly covers medium and large-size businesses. "What you're not likely to see for the next three years, at least, is a set of scalable insurance products that small to medium-size businesses will be able to understand and afford," SafeCorp's Strauss says.

The process of acquiring data insurance isn't that different from obtaining health insurance: Fill out some forms, then let a doctor check you out. The first step is to complete an insurance application, which includes questions about the technology products and services you use, and the people who manage the risks that you want to cover.

The second step is often an online security assessment, during which the CTO answers more detailed questions about the company's networking policies and procedures. Those two documents go to the underwriter, who may offer a quote. The insurance company might ask for an on-site security audit, which means that experts will interview employees and even attempt basic network intrusion techniques.

What will it cost to insure your data? That depends on many variables, including the type of insurance you choose, the amount of liability you have, the size of your company, and the security procedures your company has in place. "It would be fair to say that I have clients that spend as little as a few thousand dollars a year, and I have clients that spend hundreds of thousands a year," Sagalow says.

Determining the value of the data you want insured may not be easy. A single database or secret recipe may be the heart of your business, and estimating the worth of that intangible asset is a problem that can give CFOs nightmares.

"Until the insurance customers—enterprises, businesses, infrastructure suppliers, etcetera—can do a much better job of quantifying the value of stuff, for real, then we don't deserve better from the insurance guys," Strauss says.

You can likely get a discount on insurance premiums depending on the technologies you use. For instance, AIG gives discounts to businesses that use the eTrust software suite from Computer Associates, RSA SecurID to factor authentication, and the security assessment services of Unisys or Internet Security Systems.

"Eventually, the insurance industry will subsume the computer security industry," Schneier says. "The kind of firewall you use—along with the kind of authentication scheme you use, the kind of operating system you use, and the kind of network monitoring scheme you use—will be strongly influenced by the constraints of insurance. What will happen when the CFO realizes he can cut his insurance premium in half if he gets rid of all his insecure Windows OSs and replaces them with a hardened version of Linux? The choice of which OS to use will no longer be 100 percent technical."

Practices regarding the confidentiality of customer information are largely unregulated in the United States, at least at the federal level. There are exceptions, however, that are usually aimed at specific industries. For instance, the Gramm-Leach-Bliley Act focuses on privacy rules for financial institutions, the 1996 Health Insurance Portability and Accountability Act affects the medical industry, and the Children's Online Privacy Protection Act aims to protect children's privacy. Many states add their own privacy laws to the mix.

Choosing an Insurer

When choosing an insurer, look for one that has a specialized e-business unit and underwriters who understand the technical issues involved in data loss and Internet security. Look for a company with global reach. Sagalow suggests looking for carriers with a high capacity—the maximum amount of liability they will put out on any account. "The capacity gives you a hint of the confidence they have in their underwriting. If you ever want to go beyond that limit, you have to go somewhere else."

Protecting Your Crown Jewels

You can have the strongest firewall, the best IT team, and a crack network administrator, but none of these can guarantee that your network will always be secure and your critical files will remain intact. Despite your best efforts, a bored "script kiddie" could delete your product's source code, or a clumsy backhoe operator could inadvertently cut a fiber-optic line, bringing your business to a halt.

"Security is a process, not an event. It's not like fire, where you put in a sprinkler system and smoke detectors, and you're done. Your network is constantly in flux with new services, new employees, new operating systems and applications," says Scott Charney, principal at PricewaterhouseCoopers's cyber crime prevention and response group.

"Protect your crown jewels," he says. "Identify what you're trying to protect and the value of what you're trying to protect. This is risk mitigation, not risk elimination. You can't get down to zero risk. An e-policy will help you deal with the risk you cannot eliminate."

Schneier reminds clients that insurance is a risk management tool. "It turns a variable cost into a fixed cost," he says. "Businesses always like predictability, so insurance is a no brainer."

Kevin has been a freelance computer technology writer for the past decade. Visit him at www.savetz.com.