It's hard to shell out big bucks for things that you hope you'll never use. That's why buying insurance of any kind is such a drag. But when it comes to mitigating risks that could wipe out your entire business in a matter of days, many people opt to play it safe. And there's a new risk in town: cyber risk. Not surprising, following close behind is cyber insurance.

Such policies, which have been around for about five years, are designed to protect businesses should they fall victim to hacker attacks or other forms of online mischief or catastrophe. And more businesses are considering such coverage worth the expense. According to the 2006 CSI/FBI Computer Crime and Security Survey, 29 percent of U.S. companies say they have external insurance policies to manage cyber security risks, up from 25 percent in 2005. It's easy to see why. Nearly all companies now rely heavily on electronic information, which puts them at risk of losing business as a result of network downtime or being held liable by customers as a result of stolen personal data. Buffeted by stories of phishing attacks, spybots, and malicious viruses and worms, what responsible business owner wouldn't be interested in turning a variable risk into a fixed cost?

But purchasing a cyber insurance policy is far from a no-brainer. The policies are often confusing and pricey. The main problem: Cyber risk has been frustratingly difficult for insurers to quantify. Because cyber insurance policies are so new, there is a dearth of actuarial data from which to base the premium rates. "The insurance provisions have been drafted pretty narrowly," says Joshua Gold, a partner at Anderson Kill & Olick, a New York City-based law firm that specializes in representing businesses in insurance disputes. Gold, for example, has reviewed policies that claim to guard against "computer security incidents" on the one hand, but then exclude something as basic as a virus from that definition.

Indeed, because there is next to no case law for precedent in technology-related insurance claims, it's not uncommon for policies to come with four or five pages of single-spaced exclusions to the coverage. Says John Pescatore, an analyst at Gartner (NYSE:IT), an IT research firm based in Stamford, Connecticut: "The price of the policies is too close to the cost of an actual event. You may be better off just spending the money to avoid an incident."

Cyber insurance policies also have been difficult to apply for, often demanding that applicants undergo a third-party audit of their security practices. Fortunately, many carriers have streamlined the process and now write policies based on such factors as the size of the company, the amount of data it holds on file, how many people have access to that information, security policies, whether data is encrypted, and whether the company has experienced losses in the past. Premiums are edging downward, too. At the New York-based insurance giant AIG (NYSE:AIG), for example, a typical policy for a small company could cost as little as $1,000 a year in premiums, with a $1,000 deductible and up to $100,000 in coverage. "We've got a good handle on how to evaluate the risks now," says Nancy Callahan, vice president of AIG's identity theft and fraud division.

Before you begin shopping for a cyber policy, dig up your existing business insurance policy and give it a close read. You might find that you're already covered for many cyber-related incidents. It all depends on how your current policy is worded. As cyber risks have grown, insurers have begun to add language to business liability policies that specifically excludes cyber-related liability. So when it comes to existing insurance, an older plan may actually offer better coverage. "Some of the older general liability plans have good broad coverage," says Gold. Say, for example, an identity thief breaks into your system, steals personal information, and sells it on the Internet. A customer may decide to file suit for a violation of privacy, as well as any monetary damages incurred. Under an existing personal injury plan, there's a pretty good chance that your business would be covered. If not, many carriers will allow you to extend an existing errors and omissions or general liability plan to cover some cyber risks.

For now, experts say that companies that deal heavily in electronic information are the best candidates for a separate cyber insurance plan. That is the case with Scott Paly, the CEO of Global DataGuard, an IT security products and services provider in Dallas. Like many contractors that are required to obtain errors and omissions insurance by their clients, Paly now is often asked by his customers to get cyber coverage, as well. Paly pays more than the average business would for his insurance, about $11,000 a year, because of the nature of his business. But he views the added insurance as a cost of doing business. That's why he set the deductible high, at $25,000. "We have a high deductible," he says, "because I highly doubt we'll ever have a problem with this."

Nonetheless, insurers are marketing their cyber policies aggressively, and most experts agree that as more business is conducted electronically, the policies will become more widely adopted. "Transferring risk is a legitimate business strategy, and over time I think the insurance companies will be able to offer more compelling products," says Robert Richardson, director of the Computer Security Institute, an industry group for information security professionals. "Of course, there are some things you can't cover with insurance, like loss of customer trust or losses that land you in jail."

Resources

For more on online risk-management issues, including webcasts, white papers, and case studies, check out the website of the Computer Security Institute at gocsi.com. Information Security Economics, an industry trade group, offers an in-depth white paper on cyber insurance at infosecon.net/workshop/pdf/15.pdf.