The Canadian based insurance firm Executive Risk Insurance Services announced that they are launching a new corporate insurance product enabling clients insure against the associated costs of an information security breach. The new insurance plan will not only cover the costs of the actual damage caused against systems by an attack but also the additional costs of notifying affected customers, compensating credit card companies or putting in place credit monitoring.
This is not the first insurance company to enter the world of cyber attack insurance, Chubb and the American International Group Inc. already offer products in this area. Insurance companies are not known for taking risks, in fact they are well versed in identifying and estimating risks. So what is significant is that these companies see a gap in the market and they will be no doubt followed by others.
As companies become more aware of the threat posed to them by their exposure to cyber attacks the boards of these companies will look at ways to minimise this exposure, especially when those on their payroll responsible for information security cannot gaurantee 100% security. Insurance policies are used by many organisations to plug gaps in how they manage their exposure to certain risks.
The involvement of insurance companies in the field of information security will force a number of changes in the industry. Just as in the physical world where businesses have to invest in certain security solutions that meet standards and are managed and supported by appropriately trained personnel in order to get insurance coverage, we will see the same thing happen in the area of information security. In order to reduce their insurance premiums companies will be forced to better understand their risk exposure, implement proper security controls and ensure that their staff are appropriately trained.
What the growth of cyber insurance will hopefully do is bring information security into the boardroom where it will become a business issue which needs to be managed like any other business risk.