Information security insurance is designed to protect an individual or business against the risk of possible loss due to information security incidents. Similar to other forms of insurance the policy holder pays a monthly/annual premium to the policy issuer for the agreed to insurance plan.
Why might you need information security insurance?
The more your business relies on information systems to operate the more at risk you are if a catastrophic incident affects critical systems.To help manage risk to more acceptable levels information security controls are implemented to protect against various threats. Information security audits are another risk reducing measure a company can take to help validate the effectiveness of their information security controls and document any weaknesses for prioritization and correction. Many companies choose to self insure and pay any information security incident expenses out of pocket vs. pursuing direct insurance although the number of companies obtaining insurance is increasing at a dramatic rate. If you are under the impression that your traditional insurance policies will cover you for technology related risks now is a good time to validate that assumption. Lastly, if you are involved with a start-up it is sometimes a requirement for VC providers that information protection insurance be active to protect their future investment in your company.
Examples of events that can be insured with information security insurance
- Unauthorized system or network access
- Theft of sensitive intellectual property
- Fraudulent ebusiness or online banking activity
- Lack of availability of systems
- Disaster Recovery
- Technology errors and omissions
What are typical costs from an information security incident?
- Cost of investigating source of incident and scope of systems breached – Expert investigators are very expensive so expect to pay mid to upper 5 figures or even into the 6 figures to investigate and clean up a security incident
- Cost of loss business – Business that is lost especially if it is not recoverable could amount to significant costs.
- Cost of lost employee productivity – If your employees can not do their job you still have to meet payroll and other financial obligations
- Cost of breach disclosure notifications and customer protection measures – If sensitive customer or employee data is lost while under your care you are likely financially obligated to notify and offer credit protection measures to minimize their risk of identity theft.
- Worst case scenario is inability to recover from an incident leading to failure of the company
Final tips on information security insurance
If you desire information security insurance your first stop should be to try add the coverage via your existing insurer. If they do not offer the service or the cost is too high you should shop around to get the coverage you are looking for. It should be noted that the information security insurance industry is very immature and there is a lack of standardized offerings. When comparing different insurance options be sure to get everything in writing and validate that you are comparing equal coverages when assessing different companies.