Chubb Insurance Company of Canada Tuesday launched a new commercial insurance policy that covers businesses in the event of inside or outside attacks that can corrupt software and cause disruption in operations.
Offered to existing
customers at no additional charge and new customers at a minimum premium of $15,000 annually, MasterKey coverage includes office contents, IT systems, computers and liability.
“The frequency with which some of the computer virus-type attacks in the past few years has caused a lot of insurance companies and the whole sector to acknowledge that there needs to be a specific insurance solution for it,” said Fred Shurbaji, senior vice-president, Chubb commercial insurance division, Chubb Insurance Company of Canada.
In designing MasterKey, Chubb looked at key exposures following an attack such as electronic data recovery cost, business interruption loss and loss of income.
To help mitigate these losses, the policy covers current Chubb customers for up to $500,000 towards one or more of 12 property coverages at no additional cost. These include: coverage for non-owned detached trailers; public safety service charges; and research and development property like prototypes.
Chubb has 44,000 customers in North America that would qualify for a product like MasterKey. They are more likely to be susceptible to outside attacks such as worms and viruses than an inside job, said Shurbaji.
“Inside attacks could equally be very destructive but are typically unique to one or two customers at a time,” he said. “We’ve managed to provide limits that we know we have the financial strengths and capabilities to honour the limits that we’re providing.”
Companies are covered for $100,000 for inside attacks and can purchase additional coverage for up to $1 million or higher in certain circumstances. For outside attacks, companies are insured for $10,000 per incident with a maximum for five incidents a year totaling $50,000.
Customers, however, can’t rely on financial payouts alone as terms and conditions of the contract require companies to ensure their firewalls and security systems are kept up to date.
“While they may have some insurance available to help them get back on their feet it does significant damage to their image with their customers,” said Shurbaji. “We are confident that this will not cause companies to relax their security measures and best practices.”
In addition to contract requirements, compliance regulations like Sarbanes-Oxley are also driving customers’ investments in data security protection, said Andrew Steen, vice-president, Canadian underwriting manager, technology insurance specialty, Chubb.
“Network security is becoming a heightened issue and one that customers are trying to deal with more vigorously,” said Steen.
Continuity planning experts, however, say companies may be better off looking at other ways of protecting their assets.
Graeme Jannaway of Jannaway & Associates, said the problem with insurance policies is they cover the financial loss and not a business’s ability to serve its clients.
“Unless you’re going to retire and fold the business, it’s not a fabulous strategy,” said Jannaway, who has 16 years of experience in the insurance industry. “I would not buy insurance for this. I would spend my time and money doing a better job protecting my business by protecting my assets.”
He said companies would be better off spending the money on continuity planning or disaster recovery planning to safeguard their business.
“Spend money on building resiliency into your networks and resilency into your service farm rather than trying to protect your financial assets not realizing that you’re whole customer base could walk away,” said Jannaway.
Jannaway said unlike car insurance, companies can’t go out and buy new systems after they have been attacked by a virus, for example. “It ends up being pretty thin gruel,” he said.
While insurers have had business interruption insurance policies in place for some time, there are many organizations that choose not to use it, said John Newton, secretary for Disaster Recovery Information Exchange’s (DRIE) Toronto chapter.
“There’s a lot of debate to say if an organization takes measures to protect itself should it get lower premiums,” said Newton, also principal of consulting firm John Newton Associates Inc. “That hasn’t materialized yet as far as I can see within insurance environment.”
Like Jannaway, Newton says companies should look at redundancies and mitigation measures in protecting themselves against all forms of attacks.
“Whatever mitigation you can do is going to reduce the impact when something occurs,” said Newton, giving the example of having a technology backup policy and ensuring that it will work in the event of a disaster. While most large and medium organizations have such policies in place, Newton added that it is less common among smaller businesses. Backup can involve something as simple as backing up data onto a tape or CD to something as complex as having redundant mirrored systems in another city with real time backup, he added.
Newton said companies should not only also have a disaster recovery plan in place but ensure people are knowledgeable about how the plan works, test the plan’s components and know how long it takes to implement it.