MANAGING CYBER RISK

AIG executive says explosive growth of technology
leaves businesses of all sizes vulnerable

By Phil Zinkewicz


08p40.jpg

Companies spend more than $13 U.S. billion in damages caused by security breaches in their information technology (IT) systems. In just the first five days of circulation, the I Love You virus cost businesses $6.7 billion. The Slammer worm made Internet history as the fastest spreading computer bug, crippling banks and airlines worldwide. It took only 10 minutes to infect 160,000 computers.

These sobering and startling statistics can be found in a "brokers' tool kit" produced by AIG eBusiness Risk Solutions (eBRS), a unit of the property and casualty subsidiaries of American International Group (AIG). The purpose of the tool kit is to assist brokers and agents in understanding the importance of the need for insurance products and risk management services that protect corporate and personal assets from the emerging exposures inherent in the rapidly expanding world of technology and e-business.

There's more. A recent survey of more than 500 large U.S. corporations and government agencies conducted by the FBI and the Computer Security Institute, found that:

* 90% of respondents had detected computer security breaches within the past 12 months

* 80% acknowledged financial losses due to computer breaches

* 74% of respondents cited their Internet connection as a frequent point of attack

* 33% cited their LAN networks as a frequent point of attack

* 34% reported network intrusions to law enforcement officials

* 40% reported detections of external hackers and denial of service attacks

* 78% detected employee abuse of Internet access privileges

* 85% detected computer viruses

The survey showed a breakdown of dollar amount of e-business losses by type. Unauthorized insider access resulted in roughly $4.5 million. Financial fraud caused about $115.7 million in losses; telecom fraud, $6 million; theft of property information, $170.8 million; virus, almost $50 million; laptop theft, $11.7 million; inside net abuse, $50 million; denial of service, $18.3 million; sabotage, $15 million; systems penetrations, $13 million; and telecom eaves-dropping, $345,000.

"In the 21st century, where computers are all connected to each other, the term 'property' no longer consists of buildings, desks and chairs," says Ty R. Sagalow, executive vice president and chief operating officer of eBRS. " 'Property' must now include systems programs, important data, communications programs and all of the things that are part and parcel to the new world of information technology and e-business. However, businesses out there may not be aware that traditional policies generally do not cover data and information systems from security threats, leaving businesses vulnerable and in considerable need of specialized protection from network risks."

08p41.jpg "In the 21st century, where computers are all connected to each other, the term 'property' no longer consists of buildings, desks and chairs."

--Ty R. Sagalow, Executive Vice President and COO, AIG eBusiness Risk Solutions

Sagalow says that eBRS has been offering such specialized coverages for some time now. About two years ago, eBRS introduced AIG Personal Internet Identity Coverage (PIIC), a coverage designed to help businesses and other organizations address the online privacy concerns of consumers by offering reimbursement of financial losses and legal assistance in the event of identity theft. Target markets for this coverage include: credit card companies and other financial institutions that use a customer's credit card bank and brokerage account numbers for online transactions; Internet service providers, including companies that provide Internet access via television or wireless devices; credit information service providers that report credit irregularities resulting from an identity theft incident; employers managing their employees' personal information online through company systems; and, associations offering personal insurance lines as part of member service programs.

The AIG unit had already been offering virus distribution coverage, which protects insureds from property damage to the computer caused by a virus.

This e-business insurance sector of the industry has apparently proven very attractive for AIG because, just last May, eBRS enhanced its NetAdvantage® Suite (2003) of network security insurance and risk management services to "address the increasing exposure to threats of viruses, hackers, information theft and destruction, and cyber terrorism."

According to Sagalow, new features include:

* Network business interruption, providing payment for both online and offline business interruption losses following a computer attack. This includes coverage for extended business interruption losses and dependent business interruption losses.

* Forensic expenses and extra expense coverage, providing reimbursement for computer attack forensic and investigation expenses and payment for certain additional expenses incurred to restore the insured business.

* Broadened network security liability coverage for third-party damages and defense costs for legal liability arising out of a covered computer attack on the insured's network, including punitive damages.

* Broadened definition of computer attack including both targeted and non-targeted attacks.

* Identity theft liability coverage for theft of electronically stored personal information of employees, customers, or clients of the insured; an optional AIG identity theft call center is also available.

* Cyber terrorism coverage available by endorsement for broadly defined Acts of Terrorism, providing coverage for both "certified" and "non-certified" acts of terrorism as defined in TRIA. Coverage provides for first- and third-party loss, damage to data, business interruption and third-party liability resulting from acts of cyber-terrorism.

* Physical theft of hardware containing data and information assets.

"As the leading provider of network security and cyber-risk insurance (Sagalow says that eBRS has about 70% of the market, so far) eBRS is continually re-examining its product set to meet the new risks and challenges of today's business environment," says Sagalow. "We currently have about 160 brokers--from the large alphabet broker to the local mom and pop agency--selling these e-business products. The technology exposures of the large corporate exposures are evident, but many agents and brokers don't realize that even the smallest businesses today have technology exposures--everything from the small local bank to the local supermarket."

Sagalow says that the brokers' tool kit is intended to make it easy for the smaller agents and brokers to sell these e-business products to their smaller commercial clients. "In our tool kit, we have provided the broker with a series of basic questions to ask a client when selling our products," says Sagalow. They are:

* Does your company maintain important or confidential data such as client information? Do you know the financial cost of replacing that data if it is damaged in a computer attack? Do you know the financial cost in legal expenses, judgments, settlements and punitive damages in the event of litigation arising from that data being stolen in a computer attack?

* Is a working computer network important to the operations of your company? Would business be adversely affected if the network was shut down due to a computer attack? If so, do you know the financial cost in lost revenue and additional expenses associated with such an event? Would such a computer attack adversely affect your ability to service your clients?

* Do you know the financial costs in the event of an employee transmitted virus to your customers, clients, Web visitors or other third parties? Do you know you may be responsible even if it is accidentally sent?

* Has your company ever been hit with a mass computer virus, such as NIMDA or Code Red, and do you know the total financial consequences of that event?

"There are other questions," continues Sagalow, "including whether a company is vulnerable to a cyber extortion threat, whether a company renders Internet professional services to others, whether the company maintains a Web site and whether the company directly or indirectly affects the economy or the health and welfare or safety of the public. All these things are what businesses large and small must consider in these days. We're talking about potential losses that are intangible. We're not talking about when a store burns down and you can measure the property loss. Today, a computer virus can go around the world in minutes and damage entire data bases."

Sagalow says that, when purchasing insurance coverages for technology exposures, it is extremely important to know what is being covered. "The sources of computer attacks are varied. Most people think of computer attacks as being perpetrated only by financial fraudsters. Certainly, they are a big part of the problem, but computer attacks can be perpetrated by terrorists, disgruntled employees or ex-employees who just want to have revenge on their employers or even the 14-year-old freckle-faced kid who is hacking for fun. Many policies cover only certain types of attacks. Our coverage is for all attacks."

On the risk management side, Sagalow says that eBRS is also providing assistance to brokers and, in fact, anyone who wants information on controlling e-business exposures. Any company can log onto the unit's Web site (www.aignetadvantage.com) and, in an hour, get a complete analysis of the company's IT situation. "This site exists as a public service," says Sagalow. "If the company sends in an application for insurance, we will send in a team of IT experts from a third-party vendor to analyze the company's situation, write a 25-page report and give the company a grade. If that company accepts the vendor's recommenda-tions and purchases our coverage, there will be a discount on premium of about 25%. If the company decides not to purchase our coverage, they keep the report, worth about $50,000, as our gift."

Sagalow says that the e-business area is one in which eBRS expects to grow, and he invites brokers who have IT exposures in their communities to explore its programs. "For those who find this new and frightening terrain, we will help them," says Sagalow. *

For more information:

AIG eBusiness Risk Solutions
Web site: www.aigebrs.com