Hacker Insurance? Buy a Boatload

Lloyd’s of London has demonstrated a knack for attracting attention to itself ever since it got its start insuring ships carrying tea back to England. By underwriting the creative hands of artists, the delicate fingers of piano players, Betty Grable’s gams or Jennifer Lopez’ derriere — often for astonishing amounts of money — Lloyd’s has become a household name.

And now the company has done it again, creating a media splash with its announcement of insurance against hacker attacks. E-commerce companies should do some quick number crunching and order some up before Lloyd’s comes to its senses.

Lloyd’s partner in this caper, Counterpane Security, Inc., is betting that it can make hacker insurance not only possible, but also affordable, by minimizing the odds that dot-coms and others will face massive losses. Make it so, I say.

To Boldly Go

The history of reluctance on the part of insurers to underwrite in this area is understandable. Massive losses can accrue when a hacker takes aim, and the next attack is sure to come from the same place all the others have originated — out of nowhere.

The appropriately named Reality Research recently predicted that businesses worldwide can expect to lose more than $1.5 trillion (US$) this year due to computer viruses spread via the Web. Computer Economics, Inc. recently issued an update on how much damage the Love Bug caused to businesses worldwide when it struck earlier this year. Even after the company adjusted its estimate downward, the total came to a whopping $8.7 billion.

So with Lloyd’s offer of $10 million of insurance for $750,000 — the price of about 10 seconds of advertising during the Super Bowl — it may be time for dot-coms to get the calculators out and do the math.

Still Counting

Lloyd’s says that the new insurance will cover lost business caused by hacker attacks. Even though the losses will vary drastically from firm to firm, it is safe to say that even a medium-sized e-commerce concern could rack up a few million dollars in lost sales during a brief outage.

Putting a price tag on the total business losses that a hacker attack might cause is tough, but the companies who hold the insurance will undoubtedly find a way to measure damages that go far beyond lost sales.

Most of the companies targeted by Melissa last year quickly got back on their feet. But then came the denial of service (DoS) attacks and the I Love You worm — with its many copycat variations. Some industry observers are holding their breath in the fear that escalating cyber-terrorism may someday target — and break — the Internet’s very backbone.

Crystal Ball

Insurers are traditionally driven by tables of statistics that support broad generalizations. The best reason to buy hacker insurance is that the few generalizations that exist may have little to do with the next event. No one knows what lies around the corner. Companies have scrambled to find ways to cope with sudden barrages of page requests, minimizing the damage of a DoS attack. And most companies have found ways to filter e-mail that might have viruses attached.

But solving the last problem does not prevent the next one. In fact, by their very nature, hackers are addicted to increasingly “impossible” challenges. They live and breathe to break through the best firewalls and defeat the most elaborate security measures. Hackers carry on no matter how vigorously officials prosecute. Effective deterrence seems less likely than water on the moon.

Lloyd’s insurance rationale seems oblivious to the fact that Web sites are no longer just a single function of a business. In many cases, the Web site is the business. At the least, a company’s Web site is usually connected to the very core of its data center — which houses the information that everyone in the company must access to do their jobs.

All Together Now

When a company’s network crashes, lost sales are just the tip of the iceberg. Vendors and partners are shut out. Employees tasked with analyzing sales data or gauging the success of an advertising campaign are left idling in their chairs, waiting for the network to return. Companies are forced to absorb a whole lot of unbudgeted “paid time off.”

Add those losses up and then try to factor in the cost of leaving customers, suppliers and employees frustrated for minutes, hours or more. Those intangible costs — in loyalty, confidence and morale — may never be recouped. But the $10 million or so that Lloyd’s coughs up will cushion the blow.

On the other hand, I admit to the possibility that there is something missing in my somewhat intuitive analysis. After all, Lloyd’s — and Counterpane — undoubtedly know their respective businesses very well. There could be something more to the hacker insurance strategy than I have been able to fathom.

But in spite of my desire to believe that Lloyd’s is not foolishly laughing in the face of danger, my guess is that when it comes to the gargantuan hacker menace, we ain’t seen nothing yet.