30 January 2009

Cyber Liability Insurance

Nowadays many organisation's main assets are their information and networks rather than physical things like office buildings. Also, the protection of the privacy of employees, customers and the public is a growing issue.

At a talk organised by the Insurance Institute of London, Emily Freeman of insurance brokers Lockton explained why conventional insurance policies such as general commercial liability, professional indemnity, errors and omissions (E&O) liability, criminal damage, privacy and property protection are very unlikely to cover the effects of information damage or loss. If you want insurance to offer worldwide protection against damage and consequential losses, possibly with the involvement of insiders, you need an explicit policy—typically called cyber liability insurance.

Not all cyber liability insurance products are the same and the package should be discussed with your existing broker or one that specialises in cyber insurance. The aspects to consider are:

  • data network availability and damage
  • loss or damage to sensitive data
  • internet defamation, copyright and trademark infringement
  • data breach notification and crisis management
  • regulatory investigations, fines and penalties.

Apparently there is now a trend in litigation moving on from omissions and correctness, to "is it doing it securely?".

Chart containing a pyramid with 'Did we receive it?' at the base, 'Does it work?' above and 'Is is safe?' at the top, and an upward pointing arrow with the label 'We are heading this way'

Something, then, to be considered more in web application specifications and acceptance testing.

Web site operators (especially those that collect personally identifiable information, rely on the web site for critical business processes, operate in a more highly regulated environment, or who allow users to contribute content) should investigate the risks and possible benefits of cyber liability insurance. No web-enabled system can be completely secure, but you'll need to demonstrate that you are applying and monitoring security best practices—otherwise you might not be able to transfer any risk at all to an insurer.

The recent data breach at Heartland Payment Systems in the United States reminds us that compliance is not security. It seems the data was copied using a technique requiring a high level of system access. Take care!

Posted on: 30 January 2009 at 08:34 hrs

Comments Comments (1) | Permalink | Send Send | Post to Twitter

Comments

Comments are filtered automatically and should appear shortly after they been checked.

Colin,

Great article!As an insurance professional, I appreciate your advice to not abandon "best practices" because one has obtained insurance. The data breach at Heartland Payment Systems underscores what I have been telling clients for a couple of years now. That is the majority of corporate data breaches are performed or facilitated by current or former employees. For more on recent data breaches go to http://cyberinsurance.wordpress.com.
1 Added by Christopher Strickland Posted on 25 March 2009 at 21:53 hrs
Post a comment
Confirm acceptance and understanding of the terms of use
New posts to this thread will be sent to your email address
Cyber Liability Insurance
http://www.clerkendweller.com/2009/1/30/Cyber-Liability-Insurance
ISO/IEC 18004:2006 QR code for http://clerkendweller.com

Page http://www.clerkendweller.com/2009/1/30/Cyber-Liability-Insurance
Requested by 38.107.191.108 on Friday, 3 September 2010 at 04:24 hrs (London date/time)

Please read our terms of use and obtain professional advice before undertaking any actions based on the opinions, suggestions and generic guidance presented here. Your organisation's situation will be unique and all practices and controls need to be assessed with consideration of your own business context.

Terms of use http://www.clerkendweller.com/page/terms
Privacy statement http://www.clerkendweller.com/page/privacy
© 2009-2010 clerkendweller.com