SAN FRANCISCO (03/05/2000) - Last month's denial-of-service attacks resulted in millions of dollars in losses among some marquee e-commerce sites. But the lost money could have been recouped had the sites carried a new breed of insurance: a Web security policy.
This insurance covers a wide range of online misfortunes, including data theft, credit card fraud and lawsuits arising from online security breaches. You can get reimbursed for business lost due to hacks or outages, traffic missed, employee overtime and ad revenue that went down the tubes. Premiums start at $10,000 a year for $1 million worth of coverage. If the sites targeted in recent weeks had policies, they would have been reimbursed for their losses -- although reputations are harder to restore. And losses can be pretty steep, depending on the industry. (On the high end, an outage at a retail brokerage could cost as much as $6.5 million per hour, according to Contingency Research Planning.) Analysts estimate the recent denial-of-service attack on Amazon.com cost the company upward of $2 million. With a $20,000-a-year security insurance policy, the entire revenue loss would have been covered -- at least in theory. Since last month's widely publicized outages, interest in this type of coverage is keen, says Ty R. Sagalow, executive director of e-business corporate product development at American International Group in New York. The company's NetAdvantage Security policy has been available since Jan. 17, and already two dozen sites have signed up. And Sagalow says AIG has been flooded with calls.
Hiscox, a division of Lloyd's of London, offers what it calls "cyberliability insurance."
The policies were made available just in the last two months, admits Matthew Norris, Hiscox's technology underwriter. Before then, he says, demand wasn't high. Another option is a policy called Net Secure from Marsh and McLennan in New York. The plan is sold by several companies, including Lloyd's, Chubb, the Zurich Group and AIG. Even nonfinancial companies are getting in on the act:
Hewlett-Packard recently introduced a Web security insurance policy. But do you really need to shell out an additional $10,000 to $20,000 in premiums if your business already has plenty of insurance? If you want coverage specifically for security breaches, there is no other way. Most general corporate insurance policies don't cover Web site security. But it's too soon to tell whether this kind of insurance will be necessary for doing business on the Web, says Frank Price, a senior analyst with Forrester Research.
Although he agrees that insuring against disaster is good business practice, Web sites don't yet have a clear idea of what threats they need to be insured against, or how much money is at risk. And while the biggest concern right now is denial-of-service attacks, data theft, extortion and credit card fraud could prove to be more significant threats in the future. Last December, a cracker broke into the CD Universe server and allegedly purloined 300,000 credit card numbers. He then threatened to post the numbers on the Web if the music site did not pay him a ransom.
Policies from AIG and Hiscox cover extortion, along with the cost of conducting an investigation, reward money and negotiation with the perpetrator. But how prevalent will cyber blackmail be in the future? No one can say. Just like health insurers refuse applications from people with pre-existing illnesses, you need healthy technology in place before you can buy a Web insurance policy.
Hiscox evaluates each company thoroughly before it will insure them; it even checks the security systems of a site's ISP and the systems that a site's customers use.
Both Hiscox and AIG say they retain teams of experts to conduct these evaluations. In the end, the preparations you might take before buying a Web security policy could be the best insurance of all. If a company is willing to insure you after it runs its security audit, you probably don't need insurance in the first place. Then again, as people have been saying about the Internet since its inception, you never know what's going to happen next.