Problems with insurance

Although many types of 'direct loss' are insurable, most insurance policies have many 'exclusions' and the 'small print' of such policies can be very extensive.

One of the most important of these with regard to information security risk is the exclusion of coverage for loss of confidential or proprietary information. It usually comes down to the definition of 'property', which is defined as something tangible under the terms of the insurance policy. This leaves a huge gap with regard to insurance cover for information-related risks.

Another important exclusion is indirect or consequential loss. As mentioned above it is possible to get cover for business interruption caused by certain perils such as fire, but it is generally not possible to get such cover for business interruptions caused by employee dishonesty, extortion, etc, since indirect losses are excluded from the cover in fidelity bonds. Similarly, the fidelity bond does not cover any loss incurred by the unauthorised actions of an employee, a customer or any party who had been granted authorised access to a computer system and then abuses those privileges.

As explained above, insurance works because the insurer can spread its losses over many insured clients and make a profit whilst paying out on individual loss claims. However, this starts to break down if the losses of all the clients start to aggregate or accumulate into a massive loss scenario for the insurer. Not only is such business unattractive, but also potentially it could lead to the financial demise of the insurance organisation, which is in no one's interests. There are therefore concerns about the potential dangers of insuring against single cyber attacks (such as caused by the 'I Love You' and 'Melissa' viruses), which could potentially cause billions of dollars worth of damage across the entire insured population of clients of an insurer.

This type of concern has had a considerable negative effect on the development of new insurance products in the cyber world. Insurance is traditionally based upon actuarial analysis of long histories of statistical loss data, and all 'traditional' insurance works well because of this sound mathematical basis. The types of loss now being faced in the highly automated, information rich world of cyberspace do not have long histories and there are no such statistical data on which to perform the analysis.

The insurance industry as a whole is therefore cautiously attempting to venture into this new world with innovative insurance products, but it has difficulty in assessing its own overall risks without the proper data. For this reason insurance products tend to lag behind the development of digital business by a considerable margin.

When you consider that as much as fifty percent of the value of 'new' businesses in the knowledge economy can consist of 'intangible' assets in the form of information (designs, research data, product and pricing information, customer details, digital products such as music, films and games), all of which can easily be stolen, copied, reproduced and distributed on a huge scale, this represents a major problem area of uninsurable risk.

An Introduction To Information, Network and Internet Security
Problems with insurance Although many types of 'direct loss' are insurable, most insurance policies have many 'exclusions' and the 'small print' of such policies can be very extensive. One of the most important of these with regard to information security risk is the exclusion of coverage for loss of confidential or proprietary information. It usually comes down to the definition of 'property', which is defined as something tangible under the terms of the insurance policy. This leaves a huge gap with regard to insurance cover for information-related risks. Another important exclusion is indirect or consequential loss. As mentioned above it is possible to get cover for business interruption caused by certain perils such as fire, but it is generally not possible to get such cover for business interruptions caused by employee dishonesty, extortion, etc, since indirect losses are excluded from the cover in fidelity bonds. Similarly, the fidelity bond does not cover any loss incurred by the unauthorised actions of an employee, a customer or any party who had been granted authorised access to a computer system and then abuses those privileges. As explained above, insurance works because the insurer can spread its losses over many insured clients and make a profit whilst paying out on individual loss claims. However, this starts to break down if the losses of all the clients start to aggregate or accumulate into a massive loss scenario for the insurer. Not only is such business unattractive, but also potentially it could lead to the financial demise of the insurance organisation, which is in no one's interests. There are therefore concerns about the potential dangers of insuring against single cyber attacks (such as caused by the 'I Love You' and 'Melissa' viruses), which could potentially cause billions of dollars worth of damage across the entire insured population of clients of an insurer. This type of concern has had a considerable negative effect on the development of new insurance products in the cyber world. Insurance is traditionally based upon actuarial analysis of long histories of statistical loss data, and all 'traditional' insurance works well because of this sound mathematical basis. The types of loss now being faced in the highly automated, information rich world of cyberspace do not have long histories and there are no such statistical data on which to perform the analysis. The insurance industry as a whole is therefore cautiously attempting to venture into this new world with innovative insurance products, but it has difficulty in assessing its own overall risks without the proper data. For this reason insurance products tend to lag behind the development of digital business by a considerable margin. When you consider that as much as fifty percent of the value of 'new' businesses in the knowledge economy can consist of 'intangible' assets in the form of information (designs, research data, product and pricing information, customer details, digital products such as music, films and games), all of which can easily be stolen, copied, reproduced and distributed on a huge scale, this represents a major problem area of uninsurable risk.	The Security Practitioner An Introduction to Information Security
Return To An Introduction to Information Security