Business Insurance Quotes
Got leaks? Insurance for times when everyone knows your business
Keeping secrets is becoming a big part of doing business. And WikiLeaks, an international non-profit organization that publishes secret and classified information from anonymous sources, has exposed the ease with which one well-armed informant can generate a wave of fear.
Last year WikiLeaks rattled many by publishing documents related to Baghdad airstrikes and the war in Afganistan, among other sensitive documents. Then Julian Assange, founder of WikiLeaks, shook Corporate America in November 2010 when he announced his organization would next "take down" a bank.
Assange didn't explicitly name the bank, but a year before his threat to leak the documents he mentioned that WikiLeaks had a hard drive from a Bank of America executive's computer. Following his remarks, the bank's shares fell. Since then, the stock has recovered and the company's managers have taken steps to prepare for the release of sensitive information and tighten its internal security systems.
Cyberinsurance for security breaches
Bank of America isn't the only company concerned about security breaches. After WikiLeaks started focusing on corporations, insurance companies experienced a surge in inquiries about coverage for losses associated with leaks.
"As soon as there is a huge data breach, we get a big uptick in companies contacting us," says Kevin Kalinich, national managing director with Aon Risk Solutions. "WikiLeaks educates them that the world has changed."
Corporations face attacks not only from hackers, but also from within their own ranks. Employees can accidentally release confidential information by losing their computers or having weak security. Disgruntled employees may intentionally release sensitive data to competitors, media outlets or organizations like WikiLeaks.
Cyber-related crimes, which are on the rise, cost businesses millions of dollars in losses each year. According to the 2011 CyberSecurity Watch Survey conducted by CSO magazine, 28 percent of respondents experienced an increase in security breaches in the past year.
Respondents reported that outsiders (those without authorized access to network systems and data) are responsible for 58 percent of the attacks, while insiders (employees or contractors) account for 21 percent. The rest are from unknown sources.
A third of the respondents consider insider attacks to be more costly than others. Respondents also reported that 22 percent of inside attackers used “rootkits” (software that enables a user to have undetected access to a computer) and other hacker tools compared to 9 percent in a CSO survey conducted in 2010.
"Companies spend billions of dollars annually setting up firewalls, buying anti-virus software, but that's not enough," says Loretta Worters, vice president at the Insurance Information Institute (III). "Purchasing cyber insurance is another layer of protection to safeguard a business."
Standard business insurance is no defense
Standard business insurance doesn't cover losses from network problems, software damage or data leaks. Instead, insurance companies offer stand-alone coverage.
Chartis, part of New York-based AIG, sells a comprehensive insurance policy. It includes security and privacy liability coverage and pays for costs associated with regulation actions. It also covers event management, public relations expenses, legal fees, network interruption costs, lost income and cyber extortion (e tcost of hiring a security firm to find and negotiate with the blackmailers). Some insurers also pay for a reward for information leading to the arrest and conviction of a cyber criminal.
"The bad guys are targeting all types of information from all industries," says Mark Camillo, vice president of Chartis’ professional liability division of executive liability. "Traditional insurance does not address these risks, and for any organization that has a breach, it can be a costly nightmare of legal fees, notification costs, regulatory actions and fines/penalties."
Most insurance quotes for this type of coverage range from a few thousand dollars annually for a small business (with less than $10 million in revenue) to several thousand dollars for more comprehensive coverage for a major corporation, according to III.
"Reliance on traditional insurance and information security to deal with these ever-evolving risks is not enough, making cyberinsurance critical to protecting businesses," Worters adds.
Losses that can’t be covered
Worters believes that many businesses are not properly insured, citing a 2008 Ernest & Young Global Information Security Survey that reveals only 13 percent of espondents had insurance coverage for cyber attacks.
Companies can buy insurance to cover the financial costs of losing confidential and sensitive data, but they will not be able to insure the loss of their reputation or brand name. If WikiLeaks releases information about an American bank's disreputable business practices, the company will most likely not have an insurance policy to cover the costs of bad press, Aon's Kalinich notes.
A company could buy insurance from Aon to cover a stock price drop due to a leak, but the company's shares would have to be measured against industry peers to determine whether the security breach caused the stock plunge. This kind of insurance policy “is very complicated, and difficult to impossible to buy," Kalinich says. "We don't want to encourage everyone to buy it."
Kalinich encourages businesses to conduct a risk assessment of their procedures concerning data.
"As business evolves, they rely more on electronic information," he says. "That is why it is important to establish guidelines to protect the data. It's people, processes and technology."