US hacker insurance to skyrocket

Link: Special report on hacking

In January, the hacker insurance market increased as many existing commercial general liability policies expired and were replaced by policies that contain explicit exclusions for hacker-related losses.

According to the Insurance Information Institute, a policy covering revenue lost due to hacking costs about $4,000 per year for each $1m in coverage.

Policies generally insure against losses due to hackers, viruses, worms, cyberterrorism, programming errors or intellectual property theft on the internet.

The Love Bug, Melissa, Code Red and other vulnerabilities have cost companies more than $54bn in down time, removal expenses and repairs according to Computer Economics.

‘Fears about how such vulnerabilities and attendant magnitudes of loss might impact on national security have reached a critical mass,’ attorney Robert Steinberg of Latham & Watkins wrote in a recent brief, ‘Particularly given the post- 11 September climate.’

The Bush administration has also pushed insurers to work with businesses to set up a security baseline in the private sector.

For example, American International Group, the world’s largest insurance company, said business espionage has become an increasing concern as 72% of US high-tech companies believe they are a target for domestic espionage, 46% cite foreign competition and 32% fear foreign governments.

Still AIG, which writes about 70% of cyber policies in the US, has only issued 2,000 policies for far, each with a minimum price of $10,000.

Gartner analyst John Pescatore said cyber insurance gets a temporary boost after every high visibility attack, like Nimda or Slammer.

But he warned: ‘Enterprise legal counsels and chief financial officers aren’t yet convinced that hacker insurance will limit their liability or ever recover the costs of the premiums plus the deductibles,’ he said.

Pescatore said it is not that the economic implications of the attacks are not well understood, it is that the value of hacker insurance is not clear at all.

He said for example, no one can point to any case law or legal precedent that would indemnify a company from all liabilities that might spring from a hacker attack.

‘It doesn’t seem particularly hard to get the insurance,’ Pescatore said. ‘Worst case, an enterprise needs to undergo a security audit, which most enterprises do regularly anyway.’

Related reading

HMRC banknotes