Hacker insurance set to rocket

Company spending on hacker insurance is set to rocket from $100m (£62m) to $2.5bn (£1.55bn) by 2005 in the US, according to industry estimates.

In January, the hacker insurance market increased as many existing commercial general liability policies expired and were replaced by policies containing explicit exclusions for hacker-related losses.

According to the Insurance Information Institute, a policy covering revenue lost due to hacking costs about $4,000 (£2,475) per year for each $1m (£620,000) in coverage.

Policies generally insure against losses caused by hackers, viruses, worms, cyber-terrorism, programming errors or intellectual property theft on the internet.

The Love Bug, Melissa, Code Red and other vulnerabilities have cost companies more than $54bn (£34bn) in down time, removal expenses and repairs, according to research organisation Computer Economics.

"Fears about how such vulnerabilities and attendant magnitudes of loss might impact on national security have reached a critical mass, particularly given the post-11 September climate," said attorney Robert Steinberg.

The Bush administration has also pushed insurers to work with businesses to set up a security baseline in the private sector.

For example, American International Group (AIG), the world's largest insurance company, said business espionage has become an increasing concern. Seventy-two per cent of US high-tech companies believe they are a target for domestic espionage, while 46 per cent cite foreign competition and 32 per cent foreign governments as potential threats.

But AIG, which writes about 70 per cent of cyber-policies in the US, has only issued 2,000 policies for far, each with a minimum price of $10,000 (£6,200).

Gartner analyst John Pescatore observed that cyber-insurance gets a temporary boost after every high-visibility attack, like Nimda or Slammer.

But he said: "Enterprise legal counsels and chief financial officers aren't yet convinced that hacker insurance will limit their liability or recover the costs of the premiums plus the deductibles."

It is not that the economic implications of attacks are not well understood but that the value of hacker insurance is unclear, he added.

No one, for example, can point to any case law or legal precedent that would indemnify a company from all liabilities that might spring from a hacker attack, he said.

"It doesn't seem particularly hard to get the insurance. Worst case, an enterprise needs to undergo a security audit, which most enterprises do regularly anyway."