New type of insurance marks intersection of business, IT security

William Jackson

One of the toughest questions in securing information systems has always been: How much security is enough?

Most types of commercial risk, from fire and theft to earthquake and flood, have long since been quantified in the tables of insurance companies. Information assurance has so far defied such calculations and, without the numbers, managers in the government and elsewhere have been uncomfortable setting a price on system security.

Now the famed insurer Lloyd's of London has agreed to sell policies protecting the customers of Counterpane Internet Security Inc. of San Jose, Calif., against loss of revenue and information assets. Counterpane provides vulnerability assessments and 24-hour, seven-day monitoring, intrusion detection and response.

The interesting thing is not whether Counterpane's service is better than anyone else's, but that it has convinced Lloyd's that the information security has been boiled down to a quantifiable issue.

'This is further evidence that all security is a judgment about risk,' said Jim Hurley, managing director of information security for Aberdeen Group Inc. of Boston. 'This says, 'We think we know how to measure that risk, and how to account for it.' '

If it can be accounted for, managers will have a way to determine whether they are getting their security money's worth. They can make a business case and budget for it.

The next level

Cyberinsurance is not unknown, but Lloyd's is the first type of policy to be offered to customers of a particular company. 'This is a broader type of coverage than has been available before,' Hurley said, and it is tied to a specific set of security practices.

The insurance covers the cost to repair or replace data and software lost or damaged by an intrusion. It also insures against revenue loss following service interruption, including service-denial attacks. The protection against extortion covers the cost of specialist assistance for, say, negotiations during a crisis. It even covers ransom payments.

Counterpane customers get up to $100,000 asset and income protection as part of the service, and they can acquire up to $5 million worth of supplemental coverage for an additional fee. Lloyd's itself offers up to $100 million supplemental coverage to Counterpane customers at preferred rates.

Counterpane, of course, boasts that the groundbreaking insurance shows its superior level of protection. But John R. Sciandra, senior security consultant at Acuent Inc. of Vienna, Va., said the insurance does much more. It finally pushes information security out of the server room and up to the managers in the conference room.

As insurance companies begin offering comprehensive security coverage, tying their rates and availability to recognized best practices, administrators will at last have the opportunity to decide how much security'or risk'they can afford. And with the insurers' money at stake, their analysts will finally develop effective metrics to gauge levels of risk.

The introduction of accounting practices should bring a lot more order to information security.


  • Records management: Look beyond the NARA mandates

    Records management is about to get harder

    New collaboration technologies ramped up in the wake of the pandemic have introduced some new challenges.

  • puzzled employee (fizkes/

    Phish Scale: Weighing the threat from email scammers

    The National Institute of Standards and Technology’s Phish Scale quantifies characteristics of phishing emails that are likely to trick users.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.