The Increasing Inevitability of Cyber Insurance

Back in the days when I was president of Oracle On Demand, we made a proposal to deliver a discrete manufacturing application-as-a-service to a computer manufacturer. In the course of the discussions, the manufacturer’s CIO asked, “If this service goes down, we lose $1 million an hour. So, will you carry that liability?”

As many of you familiar with traditional contracts for software or services know, provider liability is typically limited to services rendered-to-date. For example, if you’d paid $10,000 per month for the service for the past nine months, the limit most vendors would provide would be $90,000.

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

Learn more About Oracle NetSuite

So, our answer to the CIO was, “No.”

I got to thinking about this and realized what we were missing was not a technological solution to the CIO’s problem — after all, no technology, no matter how good, can guarantee no outages, no security breaches, and no possible loss of private information — but a business solution.

It’s called insurance, which was designed to manage and spread risk.

Accordingly, we reached out to Marsh & McLennan to work out an insurance package that, based on its understanding of our standard availability, security, performance, and change-management processes, would provide a lower cost (as it would be standardized) policy than a one-off such as Lloyd’s of London insuring Betty Grable’s legs (20^th Century Fox had them insured for $2 million, $1 million per leg) or Bruce Springsteen insuring his voice for $6 million. Sadly, many of the Marsh team working on the idea perished in the World Trade Center on September 11, 2001, and the discussion ended.

Eleven years later, I met with Lauri Floresca, senior vice president at insurer Woodruff Sawyer, to learn that there has been some progress made in introducing what is now called cyber liability insurance. But it’s still a very specialized product, with a lot of limitations, and it’s often focused rather exclusively on the exposure of personal information. Given that IT systems today are as important to business as plants, equipment, and office buildings, doesn’t it make sense to be as sophisticated in using insurance products to mitigate IT risk as we are in protecting our other key assets?

So when it comes to insurance, what should CFOs think about doing?

• Reviewing their business-continuity plan with particular focus on their IT risks.
• Understanding how well their current insurance programs support that plan (property, business interruption, and cyber liability coverage).
• Identifying those risks that fall between the cracks of their coverage and may require creative risk-management solutions.
• Start asking their application, compute, storage, or data center cloud-service providers whether they will offer such a policy on their particular service. Business mitigates, manages, and spreads risk through insurance for its buildings; why not for its IT infrastructure, which is, when you think about it, another sort of building?

Today there are businesses, like RMS, that provide catastrophic risk modeling for the insurance industry. These are data-intensive, highly sophisticated models that project the risk of property damage in the event of an earthquake or hurricane. 

IT systems are complicated, but far less so than Mother Nature’s systems. It’s time to see the degree of sophistication insurers and their clients employ for insuring physical assets applied to virtual ones.

Timothy Chou teaches cloud computing at Stanford University. He is the former president of Oracle On Demand and the author of Cloud: Seven Clear Business Models.