New type of insurance marks intersection of business, IT security
One of the toughest questions in securing information systems has always been: How much security is enough?
Most types of commercial risk, from fire and theft to earthquake and flood, have long since been quantified in the tables of insurance companies. Information assurance has so far defied such calculations and, without the numbers, managers in the government and elsewhere have been uncomfortable setting a price on system security.
Now the famed insurer Lloyd's of London has agreed to sell policies protecting the customers of Counterpane Internet Security Inc. of San Jose, Calif., against loss of revenue and information assets. Counterpane provides vulnerability assessments and 24-hour, seven-day monitoring, intrusion detection and response.
The interesting thing is not whether Counterpane's service is better than anyone else's, but that it has convinced Lloyd's that the information security has been boiled down to a quantifiable issue.
'This is further evidence that all security is a judgment about risk,' said Jim Hurley, managing director of information security for Aberdeen Group Inc. of Boston. 'This says, 'We think we know how to measure that risk, and how to account for it.' '
If it can be accounted for, managers will have a way to determine whether they are getting their security money's worth. They can make a business case and budget for it.The next level
Cyberinsurance is not unknown, but Lloyd's is the first type of policy to be offered to customers of a particular company. 'This is a broader type of coverage than has been available before,' Hurley said, and it is tied to a specific set of security practices.
The insurance covers the cost to repair or replace data and software lost or damaged by an intrusion. It also insures against revenue loss following service interruption, including service-denial attacks. The protection against extortion covers the cost of specialist assistance for, say, negotiations during a crisis. It even covers ransom payments.
Counterpane customers get up to $100,000 asset and income protection as part of the service, and they can acquire up to $5 million worth of supplemental coverage for an additional fee. Lloyd's itself offers up to $100 million supplemental coverage to Counterpane customers at preferred rates.
Counterpane, of course, boasts that the groundbreaking insurance shows its superior level of protection. But John R. Sciandra, senior security consultant at Acuent Inc. of Vienna, Va., said the insurance does much more. It finally pushes information security out of the server room and up to the managers in the conference room.
As insurance companies begin offering comprehensive security coverage, tying their rates and availability to recognized best practices, administrators will at last have the opportunity to decide how much security'or risk'they can afford. And with the insurers' money at stake, their analysts will finally develop effective metrics to gauge levels of risk.
The introduction of accounting practices should bring a lot more order to information security.