Management has asked you to report on the aftermath of the Nimda virus and the steps you've taken to protect your enterprise servers and workstations. Your checklist includes server updates, firewall updates, patches for Outlook and Internet Explorer (IE), backup and recovery plans, physical access security, and a review of your digital risk insurance, right? Digital risk insurance?
Digital risk insurance is a relatively new concept, although some companies have been selling such coverage since at least 1998. The coverage offers protection against business losses that can occur from hackers invading your system, email virus transmissions, attacks on Web servers, employee error, and other hazards that are becoming all too common. Companies writing this type of coverage include American International Group (AIG), Cigna, INSUREtrust.com, Marsh & McLennan, Lloyd's of London, Safeonline, and Wurzler Underwriting Managers. Some of these companies are teaming up with security monitoring firms to offer a complete package.
Typically, digital risk insurance covers loss of revenue, additional operating costs, public relations expenses, intellectual property recovery, computer virus clean-up, theft of credit card data, and other costs that you might incur after a security breach. Such coverage isn't just for the largest companies. Safeonline offers several products for small to midsized enterprises with fewer than 250 employees. Premiums for its SafeEmail coverage, which includes virus transmissions, defamation, privacy violations, and unlawful use of information that might occur through email messages, start at 249 British pounds ($367) for up to five email users.
If your company decides to take out a digital security policy, expect to receive a comprehensive assessment of your current security protection status—not just as part of the application process but also at regular intervals after the policy goes into effect. Insurance firms underwriting such coverage want to know how much of a risk you present. Just as you might pay more for insurance for a wood-frame house than for a brick house, your current security infrastructure can have a bearing on the rates you pay. Wurzler says that for favorable assessments, it might discount rates by between 5 and 60 percent. However, Wurzler has also said that it would charge 5 to 15 percent more for companies that use Windows NT 4.0 on Internet servers.
AIG offers an online self-assessment consisting of 67 questions about your company security policy, network infrastructure, security-incident handling, perimeter security, virus protection, backup and log processes, Internet use, and other issues. Completing such an assessment can help focus attention on the most vulnerable parts of your digital infrastructure.
Of course, your existing all-risk business insurance might already cover at least some digital perils. If you review your existing coverage with your insurance broker, attorney Leonard D. DuBoff suggests that you be sure to ask whether you have business-interruption insurance that will compensate you if a computer virus that damages your data or forces you to shut down systems.
What's your company's take on digital risk insurance? Is such coverage more than you think you need, or does it dovetail perfectly with your organization's security plan?