How do you pinpoint—and recover from—the losses incurred when your network is hacked, your customer data is corrupted, or system uptime is interrupted? Cyberinsurance offers one method for writing off potential losses you can't protect.This
PDF download shows how a company concerned about the vulnerabilities of its online business might undertake a formal assessment of its network security—and consider hedging its bets with an e-risk insurance policy in the process.
In this example, a $2.6 billion cosmetics retailer finds that Internet sales have come to dominate its incoming order volume, and now account for 80% of annual sales. The firm is especially concerned about ensuring that the system behind its three-year-old electronic storefront remains available and that its order management processes are protected. It feels a similar urgency, of course, about protecting customers' credit card data.
The retailer begins the application process by completing a Web-based self-assessment of its security processes and systems. In the same way that insurers send in engineers to check the sprinklers when underwriting a building, underwriters offering cyberinsurance typically require applicants to undergo an information-security risk assessment.
The security engineers called in by the underwriters assess the retailer's current level of vigilance and the extent to which the retailer is complying with accepted best practices of security. While reviewing the cosmetic retailer's online ordering process, for example, the security engineers will check that customer data is encrypted both when stored and when it's in transit.
Many network insurance liability underwriters and their security partners use the ISO 17799 security standard as an assessment framework. This comprehensive standard covers 10 areas of exposure; the retailer's report card in each of these areas is shown in the "Security Summary" at the bottom of the chart at right.
Since such a significant percentage of the cosmetics company's revenues depends on Web-based systems, the retailer has a high network asset exposure that makes it a greater risk to the underwriter than, say, a company doing only 15% of its business online. Another factor used in assessing risk is industry; highly regulated companies like financial-service firms are subject to stiff penalties and therefore constitute higher risks. Once the insurer determines the cosmetics retailer's profile is consistent with the types of risks it accepts, it uses information generated during the self-assessment and an on-site information security assessment to determine which rate to charge.
Projects: Security 
