Welcome » IT Booklets » Management » IT Risk Management Process » IT Controls Implementation » Insurance
In establishing an insurance program, management should recognize its exposure to loss, the extent to which insurance is available to cover potential losses, and the cost of such insurance. Insurance programs should be commensurate with the complexity and risk of each institution. Management should weigh these factors to determine how much risk the organization will assume directly. In assessing the extent of that risk, institutions should analyze the effect of an uninsured loss on themselves and any affiliates or parent companies. Management should also review a company's financial condition and/or credit rating reviews when deciding on an insurance company. Once management has acquired appropriate insurance coverage, it should establish procedures to review and ensure its adequacy. These procedures should include, at a minimum, an annual program review by the board of directors.
Insurance complements, but does not replace, an effective system of controls. Thus, an overall appraisal of the control environment becomes significant in assessing the adequacy of the insurance program. Effective controls and audits may result in lower premiums. Before purchasing insurance, management should assess the costs of insuring:
Estimates of these costs will enable management to choose the types and amounts of insurance to carry. They also allow management to determine to what extent the institution should self-insure against certain losses.
An institution or data center can insure against risks covered in standard insurance policies. Insurance that covers physical disasters often specifically excludes computer equipment. Those policies usually cover replacement of the physical magnetic media, but omit the cost of reconstructing the recorded information found in the media. Management should clearly understand what is covered and document any gaps in coverage that may exist.
Insurance policies provide a variety of IT-related coverage. They are constructed so that they can be adapted to the particular institution's IT environment. Some examples of specific coverage and guidelines for evaluating them include: