Can insurers protect the U.S. from cyberattack?

The newest soldier on the frontlines of America's cyber defenses could be an insurance salesman. To prepare American companies for the costly fallout of hacks, as recently experienced by Google's operations in China, a market for cyber insurance has been taking root and is extending coverage to keep companies and customers safe in cyberspace.

Hackers often stay undetected by the companies they target because corporate budgets didn't prioritize online security. A study conducted by Verizon between 2004 and 2008 determined that 75 percent of breaches were not discovered by the victimized organization, and that 87 percent could have been prevented with reasonable online protection.

Larry Clinton, president of the Internet Security Alliance, argued that companies on "the front lines of the cyberwars" will remain undefended unless they can be persuaded to obtain cyber insurance. "We're going to have attacks forever until we change the economics of the issue," Clinton said. "Companies need more incentives to defend themselves."

The market for cyber insurance received a jolt of government encouragement in 2002, when Bush administration cybersecurity adviser Richard Clarke met with insurance companies to encourage them to expand their online security coverage, hoping the market's success would stimulate security upgrades.

Following that advocacy from the administration, economist Robert Hartwig, who has since become president of the Insurance Information Institute, had high hopes for a cyber insurance market. He told WashingtonPost.com in 2002 that he expected "the market for cyber insurance premiums will be $2.5 billion in 2005." The value of today's cyber insurance market falls short of his projection and is closer to half a billion dollars, according to Al Modugno, senior vice

Hartwig said he was right about another prediction he gave the Post's Web site: that it would take a "malicious and well-publicized attack" -- like the Chinese-based cyber-espionage of 20 companies, including Google, last December -- to jolt companies toward cybersecurity reform. "In the early 2000s, it seemed like there was a major breach a week," he said. "That's why there have been exponential improvements in security and prevention since then."

But despite the Bush administration's efforts, enthusiasm for cyber insurance was slow to take off, with the recent memory of the tech bubble's burst and a lack of historical data to determine pricing. As the Internet became more indispensable for business, large finance companies became the first to insure their assets online. Later, many companies with access to confidential information found a need for cyber insurance.

One of today's largest cyber insurance providers is London-based Lloyd's, and smaller insurance firms are offering more claim options to smaller markets. Chubb Securities launched such a campaign in October, and Philadelphia Insurance Companies expanded policies designed for cybersecurity last month.

Hartwig said that insurance markets are adapting existing coverage for conventional damages like libel or trespassing and translating them to their counterparts in cyberspace -- "like the way businesses started using electricity and adapted the risk of fire insurance." Similar to fire insurance, companies would be refused coverage for cyber insurance if they don't meet enough security standards to satisfy the insurance provider.

"These underwriters are mostly concerned about companies having the right attitude and approach in their corporate DNA," Modugno said. For example, "if a company keeps senior staff for information security, they assume they will operate online safely."

Employing senior staff for online vigilance is a counter to the teams of hackers working around the clock for the kind of high-profile, persistent hacks outlined in the Verizon study as the 13 percent that are the most difficult to prevent -- such as the recent Google hack. Replacing automated monitoring with a vigilant IT staff distinguishes a company's security reputation, according to Rob Knake, international affairs fellow at the Council on Foreign Relations.

"The real cyber weapons aren't worms or viruses -- they're the people," he said. "Hacking requires a lot of training and experience, and so defending requires that, too. You're not going to be able to defend against people who work against you while you sleep."

Like any insurance plan, the details differ case to case. Basic cyber insurance covers hazards such as unauthorized Web site access, online libel, data privacy loss and repairs to company databases after system failures. Broader plans covering costs to notify customers of IT failures and loss of income from site failure are starting to be more widely offered. If intellectual property were insured and that data was hacked, the custom claim would be collected, and the insurer might arrange funding for tech support to secure the systems that were exploited.

Convinced that creating market discounts for reliable security is not enough to inspire widespread security standards, Greg Garcia, who served as the Homeland Security Department's assistant secretary for cybersecurity under Bush, said the growing cyber-insurance market would produce guaranteed results if it were mandatory.

"Industries tend to be allergic to change that initially requires a higher cost of doing business," he said.

Not all experts agree, however; Clinton argues that such a move would drive up costs and lead businesses to outsource to another country.

Rather than looking to coverage mandates to make cyber insurance more effective, Modugno is following the progress of the 2009 Personal Data Privacy and Security Act in the hope that a new federal law will require companies to report information about breaches. More information could increase awareness and research, he contends. Sen. Patrick Leahy, D-Vt., introduced the bill in July; it cleared the Senate Judiciary Committee in December and is poised for a vote on the Senate floor. There is no companion bill in the House.

"A federal data breach law would once and for all make it clear that a comprehensive cybersecurity mentality is necessary," Modugno said. "If a federal law came down, it would help ease the burden on the cottage industry atmosphere of providers who are trying to build the market by themselves by using the patchwork of data breach laws in 48 different states."

Staffers for the Judiciary Committee described the bill's goal as providing guidelines to government companies and federal agencies for what to do when a breach occurs, but they agreed it would incidentally provide data useful for cybersecurity insurance providers.

Knake argues that Leahy's bill is crucial for creating a cybersecurity insurance market that would inspire effective vigilance online. "The key with insurance is that you always need the liability for risk," said Knake.