Municipal governments in disaster-struck areas are having trouble getting insurance policies that will help their region recover from natural disasters. Insurers aren't keen to take on high-risk clients -- like New York City since Hurricane Sandy -- all on their own. However, they might be willing to accept that risk if they share it with private investors. This is the idea behind catastrophe bonds (or "cat bonds").
Georgia Levenson Keohane explained the concept in her New York Times column yesterday:
The theory of the cat bond is relatively simple: insurers transfer their risk to capital market investors who are betting against catastrophe; that a hurricane or an earthquake won’t hit a particular place in a specified period of time. If this proves true, investors are repaid principal plus relatively high interest. If disaster strikes, however, the cat bond investors are on the hook and lose their principal.
My question is this: Could the same basic premise be applied to IT catastrophes?
Organizations already have the option of buying "cyber insurance," specifically liability insurance to protect organizations when they have a data privacy and/or security breach.
Organizations also have the option of buying insurance to protect their datacenters and other facilities from fires, floods, and earthquakes.
However, PII breaches and natural disasters aren't the only sorts of cyber catastrophe your organization might experience. What about a breach of intellectual property, or a lengthy denial of service that costs you and/or your customers a million dollars in lost business? What insurance policy covers that?
If insurers were going to start selling cat bonds to allay the costs of paying for IT catastrophes, they would likely want to set their prices based upon your organization's existing security posture and disaster recovery plan. If you could convince them that you're doing a bang-up job on your security and disaster recovery plans already, it might be easier to convince investors to bet against you having an IT catastrophe.
So, in addition to getting you some financial back-up, it might be a driver for your company to invest more in security and DR to begin with.
Would anyone bet against your organization having a cyber catastrophe? If so, would you be interested in it -- especially if it made insurance easier to obtain and made your premiums cheaper? Let us know what you think in the comments below.