Editor's note: Part 1 of this feature (in the March issue) looked at the new liability exposures to which businesses are exposed as a result of their Internet activities and the various risk categories.
Cyber risk coverage is an even more recent
phenomenon than the Internet itself
By D. Douglas Graham
Editor's note: Part 1 of this feature (in the March issue) looked at the new liability exposures to which businesses are exposed as a result of their Internet activities and the various risk categories.
The Internet is strewn with legal landmines sufficiently powerful to do mortal damage to anyone unfortunate enough to step on one of them. At risk is any company or institution passively or actively present in cyberspace, even if its Web business consists solely of sending and receiving e-mail. Internet hazards come in many forms, from hacker-induced viruses that can cripple a Web-based operation, to incidents of unauthorized access resulting in the theft of customer identity information and credit card data. All have the potential to produce legal maelstroms, and the situation becomes even more distressing when one fully appreciates the enemy's will to power.
"Hackers are extremely well organized," says Litchfield Insurance Group Chairman and CEO, Bob Phelan. "Some even post public Web sites that instruct other hackers about how to break into someone's operation and destroy it. These guys are also incredibly bold. They go to trade conferences at major hotels and talk shop right out in the open. FBI agents attend these things as well, but because no laws are broken they can't do anything apart from keeping track of the proceedings."
Many incidents go unreported, Phelan claims, because the victims don't want their customers and trading partners to know just how vulnerable they truly are. Scarier still is the fact that many Web-based operations don't even notice when they've been hacked because they aren't looking for incriminating evidence. Such seemingly incomprehensible inattention is encouraged by the false impression that firewalls, software solutions and encryption programs are enough to keep the barbarians from busting down the gates.
Nothing could be further from the truth. With close to 60,000 known viruses already, and hundreds more cropping up each month, it's a disaster in the making.
Fixing it
From an insurance perspective, cyber risk coverage is a sticky proposition because traditional liability products do not address Internet exposures. This is understandable given the fact that the policies were written long before the advent of the Net and the propagation of Web-based enterprise throughout the world. A flurry of recent lawsuits has focused national attention on this issue, however; and in the near future, cyber liability almost certainly will become an insurance industry growth area.
"Up to now, traditional insurance products did not work for cyber exposure," says Phil Pierson of e-Sher Underwriting Services, an Irvine, California-based managing general agent, with a specialty of cyber risk insurance solutions and risk management service. "Now, due to some recent court cases, insurance companies are beginning to insert some specific wording in their policies with respect to cyber or electronic risk."
"This area of insurance still suffers from a lack of standardization--there are no standards, no sharing agreements, no definitions, no nothing."
-- Kirk Denebeim, ECM Insurance Services
The risks involved in Internet business have blossomed with the Net itself, and some insurers have developed products addressing these exposures. Most take into account first- and third-party losses. First-party coverage protects against losses suffered by the insured--downtime or systems damage resulting from a virus, for example. Third-party coverage protects the insured against lawsuits arising when customers or trading partners are affected by first-party situations, including serious compromises such as the theft of credit card numbers.
There is also a catchall category covering exposures not necessarily addressed by first- or third-party products--the loss of intellectual property and trade secrets, for example, and some of the risks entailed in sending and receiving
e-mails. To a certain extent these unique, and highly specialized products defy classification, but they are important to note because they close the coverage gap.
Players and products
According to Kirk Denebeim, vice president of San Francisco-based ECM Insurance Services, a handful of insurers currently offers errors and omissions products that provide coverage for Internet exposure, media publishing, virus and unauthorized access. The cast includes the Gulf Insurance Company (through Media/Professional Insurance-Media/Pro--in Kansas City, Missouri), American International Group, Royal Surplus Lines Insurance Company, Liberty International, Chubb & Son, and underwriters at Lloyd's, London. While coverage addressing technology risk is often priced conservatively, the cost to the customer may vary radically from insurer to insurer. This is because the coverage is literally brand new, and almost nothing about it has been struck in stone.
"This area of insurance still suffers from a lack of standardiza-tion," Denebeim says. "There are no standards, no sharing agreements, no definitions, no nothing. The reason is because cyber risk coverage is an even more recent phenomenon than the Internet itself. It's also hard to price. We're dealing here with an area of exposure where the losses are still largely undeveloped. When you have that kind of uncertainty, and a lack of solid actuarial data, you wind up taking a dart and dartboard approach to pricing. Premiums are literally all over the board because you can't gauge appetites from one market to another. You could send a stack of applications to five guys one week, then send the same applications to the same guys two weeks later, and get a totally different set of responses on each occasion."
There are some insurance companies that focus on providing specialty coverage for technology risk. Examples include Royal, AIG, Zurich, Lloyd's and InsureTrust. These companies offer stand-alone policies specifically addressing technology risk without referencing any other type of insurance a client might currently have. Another approach to the problem is to add technology risk coverage by means of an endorsement on an existing policy.
"Say, for example, your commercial liability insurance is with St. Paul or Hartford," explains Joel Rothman, president of Boca Raton, Florida-based Technology Risk Solutions. "You might decide to purchase an endorsement available in different flavors that will close the gap and provide coverage for technology risk at the same time."
The option one chooses ultimately will depend on several factors, Rothman continues. First, what is the risk? Second, what insurance products are available in the marketplace that address that risk? Third, will an admitted or nonadmitted product be the most appropriate solution? Fourth, how much will it all cost? A company seeking such coverage also should decide if it is comfortable with an insurance product that simultaneously addresses intangible and technology risks and more traditional property and casualty coverage. All of these considerations should be taken into account before making a decision, Rothman advises.
"Insurance is only one of the solutions to the cyber risk problem," adds IT Risk Managers President and CEO Larry Harb. "Technology is the first piece and before you go looking for insurance, you'll want to make sure that all appropriate measures are put in place to keep the wolves at bay, including firewalls, tripwires, software and other technological barriers. Many carriers, especially those offering first-party coverage, require that their customers go through a Web site assessment or at the very least fill out a questionnaire about their security policies and procedures, and disaster recovery program. Insurance companies are in the risk transfer business, but they don't want to take on risk themselves." *
The author
D. Douglas Graham is a freelance writer from Columbia, Missouri. He specializes in technology, e-commerce and other areas of the new economy.