Q: My company is considering some form of insurance protection for our E-business infrastructure. What’s involved in applying for coverage, and do we have to invest in certain technology safeguards in order to be covered?
A: Internet liability policies can provide coverage for a company’s loss of income due to Web site unavailability; extortion expenses from threats to divulge confidential information or release a virus; and damages from third parties due to a security failure or Web site content that is libelous, violates privacy rights, or infringes on others’ intellectual property.
Insurance companies have changed their audit requirements since the original Internet liability policies rolled out about two years ago. At first, insurers were requiring that all policyholders have satisfactory security assessments, conducted by outside firms, at a cost starting at $7,500. This requirement was hampering the insurers’ ability to sell the product, however. As a result, most insurers have gone to an online assessment instead. For AIG’s NetAdvantage products and New Century ECommerce Plus (offered by E-Sher Underwriting Managers), a multiple-choice questionnaire is completed online. The results are instantly available to both the company and the insurer.
For companies in certain industries (financial institutions and healthcare, for example), complex risks, or for certain types of policies, insurers may still require an outside assessment. The cost of the assessment may be in addition to the premium, but in some cases is included. If the company has recently conducted a outside security assessment, insurers will normally accept it in lieu of an additional assessment.
An assessment is not required for policies that cover only losses claimed by third parties, like Chubb’s Safety’Net and MediaPro’s CyberLiability Plus. The application and interview process provide the insurer with information necessary to offer a policy.
The degree of network security that a company must have to be insurable depends heavily on the company’s risk characteristics. For example, a company that offers online tax filing would need to have extremely strong controls to authenticate users, transmit confidential data and prevent unauthorized access to customer data. A company that has a static website with brochure-type information would not need to demonstrate such stringent controls. However, there are a few basic measures that every applicant should have in place:
- A firewall must be operating
- The system must be backed up regularly
- Virus detection must be run and updated regularly
- Acceptable usage agreements with employees must be enforced
- Remote user authentication procedures should be tight
- Disaster recovery and contingency plans must be appropriate to the company’s reliance on its networks
- Users with special privileges should be closely monitored and controlled
- Someone in the organization must be responsible and accountable for maintaining system integrity
Chat rooms, discussion forums and bulletin board services are a particular concern to insurers. Matt Mueller, regional manager of Chubb’s Technology Insurance Group, says that he looks for “near- instantaneous” response to complaints from users, periodic policing of site content, and automatic searches for key words that could indicate libelous or offensive postings.
–Jane R. Musgrave, ARM
E-Business Practice Group