Insurance follows cyber crime on risk

One of the good things about being an insurance company is that potential risks seem to be forever growing and, therefore, so does the potential to sell new sorts of protection. Who would have thought of needing cyber insurance just a few years ago?

One of the good things about being an insurance company is that potential risks seem to be forever growing and, therefore, so does the potential to sell new sorts of protection. Who would have thought of needing cyber insurance just a few years ago?

True, most small businesses probably don't need coverage any more for their horse breaking a leg, but that is more than compensated by newfangled ways of striking trouble.

Cyber insurance is promising to be a new boomlet for insurers as companies become more aware of the dangers of being hacked and losing their data. But that is only the half of it - there is also the risk of being hacked and losing other people's data. Let your customers' personal information fall into the hands of the identity theft scumbags and you could have the lawyers knocking on your door, never mind the damage to your reputation of having failed your customers.

Mind you, there are plenty of low-tech ways to lose data as well. A certain sort of person will enjoy the irony of data security company AusCERT, which last year lost 8000 subscribers' personal information in the mail .

Cyber insurance is a step up from the already fairly common business insurance to cover loss of a business' own data for reasons ranging from a disgruntled employee making off with the files to fire damage and equipment failure.

Given the increasing importance of data to a business over physical assets, being aware of its importance is vital both to safeguard against its loss in the first place and then to cover the financial cost if it is destroyed.

The purveyors of cloud computing use the danger of data loss as part of their sales pitch. With everything else happening in a small business, it is not hard to forget to back up data just once or twice - which is when one of the subsets of Murphy's Law will strike. But if a business tries to avoid data loss by moving to the cloud, there then arises the question of the cloud's security.

Protection against the danger of losing other people's data is a relatively recent phenomenon. It took off in the US (the home of the most lawyers per head of population) after 2005 when laws were introduced to force companies to inform people if their private details had been compromised.

According to a recent Reuters report, American insurance companies are now writing more than $1 billion in annual premiums to cover that risk.

And the risk can be considerable. With almost as much irony as the AusCERT case, US insurance company WellPoint was fined $US1.7 million ($1.8 million) this month for having weak database security after exposing more than 600,000 personal records on line in 2009. WellPoint is a health insurance company, but it should still understand a thing or two about risk.

And where the US goes in such matters, the rest of the developed world, including Australia, tends to follow. The Europeans are on the same path and privacy legislation is a growth area here, too, with some high-profile failures already on record. There was the theft of some 77 million Sony PlayStation network users' data, including 280,000 Australian users. Telstra last year was ruled to be in breach of the Privacy Act after mishandling a database of 734,000 customers. And the Australian Privacy Commissioner rapped Vodafone over the knuckles for lax security after finding staff in its stores shared a single log-on and password that allowed access to plenty of customers' information.

Even in 2010-11, the Office of the Australian Information Commissioner (and who knew there even was one?) was being notified of a data issue each week and was investigating just as many that had not been made public.

It is bad enough to be hacked by criminals wanting to steal data for financial gain, but there is also simple data vandalism - hackers wrecking systems just because they can - and the growing incidence of cyber blackmail - hackers infiltrating a company's database and threatening to destroy it unless money is paid.

And if you are not scared about ever using a computer again, there is the often overlooked "big daddy" of cyber crime - the theft of intellectual property by a competitor or extortionist. That is one of the allegations made against China on a state basis - stealing not just government secrets but those of major suppliers and competitors.

Yet business today is data - enter your friendly local insurance company with the chance to sell another policy.

Related Articles