Buying insurance is not the solution for all of a company's information technology security risks, an insurance brokerage executive advised.
“Every company has an information security exposure that needs to be addressed,” said Patrick Donnelly, co-managing director of professional risk solutions, Aon Financial Services Corp., “but not everyone needs insurance.”
His comments came Thursday during a Web seminar on the subject, “Network Security and Privacy Risk,” sponsored by Chicago-based insurance broker Aon.
At the same session another Aon expert said insurance products have not kept up with technology risks.
What is most important, said Mr. Donnelly, is that businesses need to go through a process of evaluation, to determine their security gaps and fill those gaps either through technological security answers or insurance, which could entail self-insurance or risk transfer.
Troy Smith, an executive with information security and IT consulting practice, Aon Consulting, noted that technology is becoming smaller and more compact. That development is making it more and more difficult to make information secure. Current insurance coverage has not necessarily caught up with these emerging threats, he said.
Failure to provide proper security also opens businesses and individuals to fines and imprisonment from regulators, expropriation by foreign governments, and civil suits from aggrieved parties, he added.
Mr. Smith said technology security needs to be as important to a business as sales and profits. Companies need to review their processes and determine if the security options connected with their process are sufficient to protect the company and the information.
He said that those losses are not just confined to the financial, civil, or criminal penalties, but can affect the company's reputation as well.
Mr. Donnelly said traditional insurance cannot help. While there may be some insurance coverage related to physical losses stemming from technology breakdown, case law has determined that data is not physical property, he explained.
Typical policies, such as commercial general liability, may cover some harm from publication of data, but overall, there are limits and exclusions in most policies that do not cover data loss.
He pointed out that seven to eight years ago, policies did not address the technology data issues and customized policies were successful. But legal decisions began to change the coverage landscape as more and more diverse issues emerged with technology's evolution.
Recently, businesses have re-evaluated their exposures, which has led to the development of insurance policies covering security and data loss issues, Mr. Donnelly said, on the liability side.
“I think insurance companies are challenged to provide real, meaningful, broad coverage on the first-party side,” Mr. Donnelly said. “Even if they could, I think that there are a lot of question [about] whether you can get the model right to properly value a loss on the first-party side.”
Coverage is available for damage to intangible assets and business interruption, but he stressed that the insured needs to look closely at the policy for exclusions and limitations.
The complete broadcast is available at: www.aon.com/us/about/events/web_seminar.jsp
© Arc, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.