Take the case of AlphaTrust Corp., which was put through its paces last fall by Insuretrust. "Our security assessment cost us about $20,000," says Bill Brice, CEO of the Dallas-based electronic signature firm, "but we feel the cost was worth it. We provide technology that enables secure transactions to take place between online businesses. If someone were to access the digital credentials of one of our users to make a fraudulent transaction, it would erode our brand. Although the chance of this is exceedingly remote, you never know."

So AlphaTrust decided to make sure its "fraud-free" warranty to customers was backed up by appropriate insurance. "We went through a detailed 'top to bottom' physical and technical analysis of our security, networks, and procedures," Brice says, noting that the company would have undertaken this analysis on its own, had not its insurer required it. "It validated our entire architecture," he explains.

Atlanta-based LockBox Communications Inc. also paid for the security assessment required by insurance broker Marsh, which offers NetSecure, a suite of cyberinsurance policies backed by several insurers' capital. The assessment can have value beyond the mere vetting of a potential client. Marsh uses a third party, Internet Security Systems (ISS), also based in Atlanta, and when the audit was complete, LockBox CFO Chris Williams says, "they came back with a few suggestions, which were helpful and which we implemented. As part of our coverage, ISS will provide ongoing monitoring of our security processes." Williams wanted the testing at least as much as the insurance itself. "We're still waiting to see how much it will cost, and so far things look good," he says. "There's no way I'm going to go bare [without insurance]. But the audit is just as valuable."

Other companies, however, balked at paying for the required security audit. "We were talking with Marsh last fall about our need for cyberinsurance, when they said we had to undertake a $25,000 security assessment," says Bill Pedersen, CFO of Milliman & Robertson, a Seattle-based firm of consulting actuaries and health-care management professionals. "They presented such a list of hurdles we'd have to surmount, in terms of an audit, that we decided to go bare. Plus, they were asking way too much."

Milliman & Robertson created a Web site last year to sell online continuing medical education (CME) courses to physicians, and wanted insurance to absorb the risk of customer credit card theft. "We wanted to make sure we had financial protection in the event an unauthorized individual used our Web site to gain access to internal networks and customer data," says Pedersen. "At the end of the day, given the cost of the underwriting audit, we decided to absorb this liability through prudent risk management." So the firm added some monitoring tools to the site, as well as Web security solutions.

An End to Audits?
But as competition heats up, McDonough says, expensive audits are beginning to fall by the wayside. "Underwriters are realizing they have to take a certain amount of information on faith--that their clients know what they're doing, have a good track record, and can show in laymen's terms that they're secure," he says.

AIG is among those companies moderating their stringent underwriting stance. The New York­based insurer recently introduced a three-level underwriting process. The first level involves an online application, and, if the company passes relevant underwriting criteria, a conditional premium quote is provided within two days at no cost to the applicant.

The second level involves an online assessment, in which the applicant completes a security questionnaire and the insurer's technology-security partners (companies that include IBM, RSA Security, and Global Integrity Corp.) evaluate the applicant's security remotely, a cheaper alternative than an on-site audit. The third level calls for the full-bore customary physical assessment.

Caveats And Caviling
A less-stringent underwriting process may not be appropriate for all companies, however. "A remote scan of a company's security doesn't deal with the human-element issues, which are really the major issues," says Steven Haase, CEO of Insuretrust.com. "You need someone to examine the business model, policies, and procedures, in addition to scanning the systems. Look at it this way: lots of fires occur at sprinklered facilities because someone shut the sprinklers off. There is no such thing as an airtight system, because they're all dependent upon people."

"I'd be very cautious about underwriters willing to provide insurance without really taking a look at your procedures and policies," says Ron Johnson, western regional manager of E-business solutions at Zurich U.S. in San Francisco. "Insurers are trying to buy market share by approaching E-risks like traditional insurance. But these are not traditional exposures. There will be some really serious losses in this market in the next month or next year. And that will scare the pretenders away."

Such scenarios may raise questions about whether, in such a new market, coverage levels will be sufficient. McDonough says the top insurers offer limits of $25 million and beyond, which would be enough to cover most losses--at least based on past types of damage. Companies that suspect this may not be enough can stack several insurers to achieve additional coverage. Analysts urge companies to get their legal departments involved in approving the policies; insurance contracts are often vague, and, given that there may emerge heretofore unknown forms of cyberrisk, a well-written contract may be the best defense.

• « previous
• 1
• 2
• 3
• next »