It’s been nearly eleven years, but the thought of terrorism is just as prevalent now as it was when we woke up on September 12, 2001. Eleven years isn’t a long history of handling the unknown variables –where, when, and how. Back then, the add-on terrorism coverage, that rider on most policies, was a cheap, if not free endorsement. That was when we were naive.

Insurers and security firms have done a commendable job of bringing terrorism risk into our vocabulary and helping businesses protect against what twelve years prior was an other-world problem. The first out of the gate was AIG, which provided the coverage at prices that were prohibitive but justifiable on the heels of the attacks. Other insurers found ways to price the risk and provide coverage, but too many businesses — smaller airlines included — couldn’t afford the premium for the now-required coverage.

Times have changed. And though it seems a short time, eleven years has allowed insurers enough breathing room to not only price the coverage more affordably, but build more comprehensive products that encompass more of the unexpected.

It’s also allowed insurers to reach beyond the physical threats and beef up products that protect against the terrorism we’ve dealt with since the first hacker broke into the first secure network long before 9/11 — cyber crime, yet another form of terrorism.

At RIMS this year, I had a chance to sit down with Kirstin Simonson, underwriting director of Travelers Global Technology division. She’s charged with the company’s CyberFirst product, launched in 1999 and restructured regularly ever since. Rebranded as CyberFirst in 2008, the product came in handy during 2011, which Simonson says was The Year of the Data Breach. What’s new in this incarnation: first party coverage options.

It comes with what you would expect: business interruption, denial of service and crisis  management reimbursement. It also comes with a good deal you might not expect:

  • Security breach notification/remediation expense
  • Cyber extortion expense
  • Computer program/electronic data restoration expense
  • Computer fraud
  • Funds transfer fraud
  • Telecommunications theft

Yet companies I’ve talked with and those surveyed have indicated that cyber threats are something they should be concerned about, but don’t suspect will happen to them. When I mentioned this to Simonson, she said, “That’s when you need to consider: do you have the money to manage a breach on your own?”

Given the cost of a data breach –$194 per record, according to the Ponemon Institute Research Report (March 2012) –things can add up quickly. A breach that affects 20,000 records could cost over $3.8 million. “One of the biggest mistakes companies make is not purchasing enough capacity,” says Simonson.

Simonson suggests that cyber security be part of the business continuity plan, not just a singular focus on the network alone. “You need to ask yourself what you’re going to do when this happens before it happens.”

About the author