- Silicon Valley's 19 Coolest Places to Work
- Is Windows 8 Development Worth the Trouble?
- 8 Books Every IT Leader Should Read This Year
- 10 Hot Hadoop Startups to Watch
Network World - Heartland Payment Systems figured it was in pretty good shape when it took out a $30 million cyber insurance policy. Unfortunately, the credit card transaction processor was the victim of a massive data breach in early 2009 that resulted in losses estimated at $145 million. The insurance company did pay Heartland the $30 million, but the company was on the hook for the remaining $115 million.
So, is cyber insurance worth it? Is it right for your company? What type of coverage should you get? How much is enough? And what are the gotchas to watch out for?
The first point to understand is that standard business insurance does not cover data breaches or almost any other loss involving data. Standard insurance covers tangible losses and damage. Data isn't tangible.
For that distinction you can thank American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., a U.S. District Court ruling in Arizona in 2000. The court said that a computer outage caused by a power problem constituted physical damage within the meaning of the policy Ingram Micro had purchased from American Guarantee.
"After that, the insurance firms changed their policies to state that data is not considered tangible property," says Kevin Kalinich, national managing director for network risk at insurance vendor Aon Risk Solutions. The upshot is that an enterprise needs special cyber insurance to cover data-related issues. The problem is that the field is new and there is no such thing as standard coverage with a standard price.
The resulting complexity is a major source of push-back by potential buyers, according to Larry Ponemon, chairman of the Ponemon Institute, a research organization focused on information security and protection.
"The policies have limitations and constraints similar to home policies with act-of-God provisions, and that has created a lot of uncertainty about what is covered, and what the risks are," Ponemon says. "Those who are nevertheless purchasing cyber insurance are typically very selective about what coverage they want," he adds.
Types of cyber coverage currently available include:
Data breach coverage: This pays for expenses that result from a data breach. Covered expenses typically include notification of the victims, setting up a call center, credit monitoring and credit restoration services for the victims, and other crisis management services, says Ken Goldstein, vice president at the Chubb Group, an insurance vendor. "You might want to hire forensic experts, independent attorneys for guidance concerning the multiple state (data breach notification) laws, and public relations experts. The more thoughtful ones respond in a way that shows they are taking the situation seriously," he says.
Regulatory civil action coverage: Pays in cases where the insured is facing fines from a state attorney general after a data breach, or from the federal government after a violation of the Health Insurance Portability and Accountability Act (HIPAA,) or similar regulations. Some policies only cover the cost of defending against the action, while others may pay the fine as well, says Steven Haase, head of INSUREtrust, an Atlanta-based specialty insurance provider.