Karen Cheung
Our insurance company recently sent us a letter informing us that '“Terrorism and Cyber Risk” would be excluded from our policy starting from 1st January, 2002.' In short, they are excluding damage from acts of terrorism or any kind of loss of data or software from the risks they are willing to cover. I guess all or most of you have received similar letters by now. Indeed, the unexpected 911 incident has changed the world and have hardened the insurance and reinsurance market immensely, so it is everyone’s problem now. Why, precisely, violent, terrorist acts have made the potential risk from loss or damage of data or software unacceptable is unclear. However, let’s look into the impact of “Cyber Risk Exclusion” Clauses: Information security management does recognize alternative methods for handling risk, including avoiding, reducing, accepting and transferring. Transferring risk essentially means insurance: if an incident occurs, someone else pays, and the organization is protected. Exclusion of "Cyber Risks" by insurance companies implies that organizations will have to manage those risks by other means: avoiding, reducing or accepting. If you do not want to accept the higher risk, you will need to review your policies and be better protected. Probably, put more controls in place to compensate. In case you would like to do a risk assessment to your data protection mechanisms, talk to our consultants.