by Steve Greechie
A customer relationship management application database may contain information about tens of thousands--or hundreds of thousands--of individuals. Because enormous assets imply enormous risks, security should be addressed.
CRM: Beyond Security
Of course, nothing substitutes for high standards of database security. But the wise manager should insure his organization against the various hazards that threaten his CRM assets. However, most insurance policies do not provide coverage for this exposure. Indeed, as insurers are confronted with cyber-disasters, they respond with exclusions. Managers need to consider cyber-insurance, which provides coverage against systems disaster.
Customer Relationship Management: Cyber-Insurance
One of the benefits of cyber-insurance is that it allows risks to be distributed fairly: companies at high-risk to a cyber-catastrophe pay higher premiums than others. What's more, it requires companies to adopt best practices in cyber-security. Thus, the requirements of the insurer become the de-facto industry standards. Insurance imposes a sort of self-regulation, preferable to government regulation because cyber-security evolves rapidly.
CRM Insurance: The Pitfalls
Valuable as cyber-insurance is, the industry faces two important obstacles:
- The danger of a mega-disaster scares insurers away from the field. The worst case scenario is brutal, since computer systems are interconnected and standardized.
- Since cyber-insurance is a new field, there's a lack of actuarial data. This problem makes it difficult for insurers to calculate premiums and drives up the price of policies. What's more, it makes risk analysis difficult for companies estimating the value of coverage.
CRM Application Risk: The Variables
All companies with computer systems need coverage, but companies with CRM applications most central to their operations are the prime candidates. They vary in their exposure to cyber-risk depending on three factors:
- The type and amount of data collected
- The degree of dependence on the CRM application and its data
- The degree of government regulation or self-regulation
Some of the industries most exposed are finance, health care, and retail. They're among the leaders in the use of CRM systems, and, indeed, they're among the industries that purchase cyber-insurance most widely. Other industries likely to purchase include technology, media, telecommunications, online retailers, education, travel, accounting and, of course, law.
CRM Insurance: The Options
Gordon Blumberg of Casswood Insurance, specializes in cyber-insurance. He divides cyber-coverage into two areas: "first party" coverage agreements and "third party" coverage agreements.
First party agreements cover the following areas related to CRM applications:
- Network Extortion Coverage. This coverage reimburses the insured company for payments made in the event of extortion. It's meant to prevent loss of the CRM network or damage to it.
- Business Interruption and Extra Expense Coverage. This insurance covers loss income due to a slowdown--or even a shutdown--resulting from a disaster. These policies might be written on either an agreed-upon value per hour basis or on an actual loss sustained basis. They usually have a waiting period of 12-to-24 hours, and they may have a dollar deductible.
- Emergency Response Fund Coverage. This insurance allows the insured company to hire consultants to minimize the damage resulting from a hacking attack or other malicious intrusion to the CRM system. It also covers the preserving of forensic evidence used to identify the hacker or other intruder. This section generally carries a sub-limit--between $100,000 and $200,000.
Third party insurance covers a company in the event of a claim made by another. A company may be liable for a security breach on its own system or on a provider's system. Fortunately, there are policies available in the area of privacy and network security as well.
Steve Greechie (MBA, MSLIS, MA) is a freelance business writer in New York City. He's published extensively in a range of publications, including The Boston Business Journal, Information Outlook, Online, Architectural Record and The Journal of Business and Finance Librarianship. He contributed to The Core Business Web, which The American Library Association named The Best Business Reference Book of 2003. His internet copy appears widely.