Insuring Against Cybercrime Gets TougherInsuring Against Cybercrime Gets Tougher

The new year ushered in a host of changes for cybercrime insurance policies. Many insurers will exclude online assets from standard commercial insurance policies this year, shifting the coverage to costlier supplemental policies. What's more, some policies will offer no coverage if IT damage is terrorist-related.

"I used to think cybercrime would become a standard feature of commercial property policies," says Robert Hartwig, chief economist at the Insurance Information Institute in New York. "Instead, the opposite has happened."

Policies covering IT have typically protected against physical loss or damage; a computer zapped by lightning would be covered like any other piece of office equipment. At least three insurance carriers--The Hartford Financial Services Group, Royal & SunAlliance Insurance Co., and Zurich North America--have excluded cybercrime coverage from their standard policies and are offering supplemental policies. "There's a tremendous amount of exposure that was never intended in the pricing of those policies," says Tom Shields, senior VP of marketing for the financial enterprises division of Zurich North America.

Sept. 11 took a huge toll on the insurance industry, which will pay out $50 billion as a result of the terrorist attacks. Now, insurers have drawn a line in the sand. "They want to make it clear that losses stemming from denial of service, viruses, and intellectual property violations aren't covered by standard policies," Hartwig says.

Supplemental policies, which cover viruses, security breaches, and denial-of-service attacks, can range from 2% to 8% of the overall premium's cost, says Michael Lamprecht, national practice leader of E-insurance for broker Arthur J. Gallagher. The coverage also often requires an audit of security systems and policies, which can range in price from $4,500 to $50,000.

Some insurers will exclude all coverage of terrorist activities, both virtual and physical. Others will offer cyberpolicies that cover terrorist threats. But proving that a cyberattack is the result of terrorism won't be easy. "Just because a virus was accidentally spread from a third-world country doesn't mean it's a terrorist attack," Lamprecht says.

Arthur J. Gallagher saw a 100% increase in sales of its supplemental policies compared with a year ago. Still, it's a nascent business. Hartwig expects the cyberinsurance market to reach only $2.5 billion by 2004. Many believe the coverage is unnecessary. "This insurance sounds like another way to spend money that I won't be able to get in this flat economy," says one VP of IS at a midsize investment firm who asked not to be identified.

Sean Magee, VP of IS for Lanier Worldwide Inc., says cybercrime is more of a concern for larger companies. Cybercrime insurance "doesn't make sense right now," he says. "I doubt we're on anyone's hacking radar screen."