E-insurance: know the risks

Insurance companies now want customers to prove that their ecommerce systems are secure before extending cover, not only because demand is rising, but also because claims can be very large.

As a result, Carr Biggerstaff, a senior vice president at Secure Computing, said customers were currently worried that premiums would skyrocket if their systems weren't up to scratch. "Customers have said that their insurance companies were looking at their new e-systems. Insurers wanted a third party team to review the system, including areas such as back-up and security, before they gave cover," he explained.

According to research commissioned by the Association of British Insurers (ABI), internet fraud, email abuse, hacking and viruses are all set to rise over the next 20 years. Mary Francis, ABI's director general, said this meant that the market for insurance against security breaches was likely to grow as well. "In order to be covered, firms will have to improve security so the risk is a genuine risk, rather than a likelihood," she continued.

Users, who are often not experienced in such matters, should, therefore, ensure that they understand what is included and not included in an insurance policy, while at the same time defining their own requirements clearly, Francis added.

But Bob Walder, director of security at analyst company NSS Group, warns that organisations are right to fear outside audits of their systems. "Rarely have we performed a security audit or penetration test without finding security holes or flaws. What network or security administrator wants to be responsible for losing his company's insurance cover because he forgot to apply the latest vendor fix?" he said.

Megabuck contracts
Insurers have insisted for years that customers' be able to demonstrate certain security levels in their homes if they want to be eligible for private cover, so it was inevitable that this thinking would be transferred to cover corporate networks, he added.

Deri Jones, security services manager at NTA Monitor, said that although the practice of auditing ecommerce systems wasn't as widespread as it should be, it was becoming increasingly common in big contracts. "This is only being carried out for the megabucks contracts. Insurance companies look to protect themselves and ecommerce is getting the most attention. However, it needs to happen more often," he said.

But the testing required by the insurers themselves is not always particularly thorough. "Companies will often carry out a paper audit of prospective clients, but this will be nothing more than: 'Do they have a firewall? Do staff know the procedures?' But this is nowhere near the same as a complete test," Jones added.

But security firms are also starting to take an interest in this market and are partnering with insurance brokers as a result. MIS Corporate Defence, for example, has teamed up with insurer JS Wurzler to provide loss of revenue and virus attack insurance. The risk assessment is based on a security audit carried out by MIS, which is then submitted to Wurzler. Wurzler bases the premium on MIS's assessment of the integrity of a company's security infrastructure.

But setting up insurance cover to deal with these eventualities is fraught with difficulties for users.

"It's difficult for firms to put a value on the confidential information which is needed to establish the extent of insurance cover," said Andrew Tanner-Smith, an industry analyst at Frost & Sullivan. "There is also a reluctance to disclose confidential information about security to any third party because it might affect the share price."

Jim Hurley, managing director of security for the Aberdeen Group, added that the internet had exposed previously secure infrastructures to new threats. "Internet-focused systems are capable of introducing unpredictable business risks. Rather than risk damage to the brand equity of the enterprise, network managers should look to avoid damage while buying peace of mind," he said.

At a recent meeting of 20 executives from ecommerce companies, Biggerstaff asked what worried them the most. "Six or seven said it was their responsibility for a big project, and that they had the insurance company breathing down their necks," he said.

This would indicate that perhaps now is the time to look at your own network infrastructure, before your insurer decides to do it for you.

How to avoid hefty insurance premiums

Matt Norris, manager at insurance firm Hiscox Technical, has provided the following checklist to help network managers put their systems in order and avoid a hefty insurance premium increase.

• Security products. Ensure that your company has the most up to date antivirus, firewall and intrusion detection software available.
• Security processes. Implement security products properly to protect the network.
• Employee selection. Screen applicants when providing them with special user privileges. Such applicants include network managers or anyone who will have access to sensitive information.
• Training. Make sure staff understand why procedures have been put in place.
• Penetration test. Be aware of any possible vulnerabilities in the system.
• Legal risk management. Use a lawyer who understands IT law as well as any legislation that is specific to your company.
• Physical security. Protect equipment from fire and theft.

Like this story? Spread the news by clicking below:

 del.icio.us     Digg this     reddit!