|
Technology Internet security—A growing risk for businesses More types of companies are vulnerable; agents step up their risk management role By Len Strazewski
Worms, viruses, identity theft and Internet fraud of various sorts are old news to high-tech consumers, but commercial insurance clients are just beginning to understand the huge potential for business liability and operational losses these crimes create. And they are just discovering how those risks can be prevented or insured, says John Moccia, principal at The Rollins Agency, Inc., in Tuckahoe, New York, and director of its technology and professional division. Internet security breaches and other digital risks not only create operational losses for the victims, but they also may provoke third-party liability cases involving clients, consumers and contractors, he says. And while risk managers and chief financial officers are getting pretty savvy about the broad issues, they may not be up to speed on the technological issues of network security or the legal issues of privacy that may generate new kinds of liability, he notes. That education falls to their agents. “Commercial clients are starting to understand that the risks involved with e-commerce and network security are potentially huge and devastating. They are at the point where they realize that privacy and confidentiality of their client information is as necessary as their own security,” Moccia says. “And they are starting to ask about whether or not their insurance covers them against these losses.”
The answer for many, according to agents, brokers and insurers with high-tech expertise, is “no,” under traditional business package policies and comprehensive general liability insurance. Founded in 1910, Rollins has had a technology division since 1997, and is also a founding member of TechAssure, an international group of 15 brokers that specialize in technology clients and risks. The agency has 42 employees with 8 in the technology division. The division’s clients include software developers, Internet service providers (ISPs), online communities, e-commerce companies, online content providers, hardware manufacturers and distributors, telecommunications companies, consulting companies and application service providers (ASPs). The agency also has a special program, called Tech Track, for emerging companies in technology. Technology division insurance products include professional liability, multimedia liability (personal injury, intellectual property, publishing and advertising liability), Internet commercial liability, Internet breach of security and loss of revenue coverage, research and development business interruption, computer property protection, technology errors and omissions, and patent infringement, as well as more traditional commercial and personal lines. “Insurance carriers have responded pretty well with new kinds of coverages, but clients also need to understand how operational changes and improved security can help reduce their risks,” Moccia says. “There are not good risk audit checklists for this. Clients have to rely on their agent’s training and experience.” Steven Haase, chief executive officer of INSURETrust.com, a wholesale broker in Atlanta, Georgia, says he has been marketing cyber liability insurance since 1997 when he began underwriting the coverage for a Lloyd’s of London syndicate that was experimenting with the new risks at the time. The coverage has evolved since then, he explains, as the risks multiplied. Most commercial clients are now insured against their own data losses and some business interruption, the coverage that was first developed in the 1980s and 1990s with the explosion of enterprise computing systems. Many organizations are expanding the coverage to include losses incurred by the customers, clients and business partners who may depend upon their networks for business operations. Companies that manage online transactions, store or process data for clients, or maintain supply chain ordering and fulfillment may have particularly large third-party liabilities. “Agents are finding that their existing clients are adding this coverage at renewal this year and new clients are starting to inquire about coverage and pricing,” Haase notes. INSURETrust.com has six employees and also markets professional liability coverages. Haase says the firm spends at least as much time helping retail agents and their clients with risk management issues as it does marketing coverage. “Agents now more than ever have to be experts in risk identification,” he explains. “We have to work with the retail agents to help them examine the real risk profile for their clients and identify the potential for high frequency and severity of potential losses.” Helping clients understand their risk profile not only contributes to the application and underwriting process, but also helps organizations develop better overall security, he notes. Cyber risks continue to grow in number and complexity, according to a recent survey conducted by the Computing Technology Industry Association (CompTIA) in Oakbrook Terrace, Illinois. More than 56% of the 500 organizations responding to the CompTIA Study on IT Security and the Workforce reported suffering a browser-based attack—some sort of Internet hacking that uses the browser system and user system permissions to disrupt computer functions—in the previous 12 months. Last year, only about 37% reported these types of attacks and in 2003, only 25% were hit. Phishing attacks—attempts to use realistic e-mail and imposter Web sites to gather financial information from consumers—also increased dramatically. About 25 % of respond-ents reported phishing attacks, up from 18% the previous year. However, while viruses and software worms are still the leading problem, their incidence seems to be leveling off, according to the survey. About two-thirds of respondents reported virus or worm attacks, down from nearly 69% last year. The virus threat is still severe, despite better anti-virus programs, says Brian McCarthy, CompTIA chief operating officer. “Though security software has become increasingly more advanced in its ability to detect threats to networks, applications and operating systems, hackers are sophisticated enough to reverse engineer patches and launch counter-offensives to vulnerable systems in 48 hours,” he says.
These sorts of attacks create the potential not only for direct losses for the victim organizations, but also liability for losses sustained by individuals, says Brad Gow, vice president, ACE Professional Risk in Philadelphia, a leading underwriter of cyber risk coverage. Last year, after the theft of credit card numbers from a bill processing company, California passed legislation holding businesses liable for consumer losses resulting from violations of their data security. Gow says 38 other states are considering similar legislation, creating a new level of liability exposure for many companies. Health industry and insurance companies also have privacy obligations under the 1996 Health Insurance Protection and Portability Act (HIPPA). The result has been an opportunity for what Gow calls “cyber extortion,” situations in which high-tech criminals demand payments from corporations in lieu of an attack, Gow says. He cited a study conducted by the SANS Institute, a computer industry security organization in Bethesda, Maryland, that indicated that as many as 7,000 companies have already been hit by cyber extortionists, demanding from $10,000 to $400,000. Among the threats used by the cyber extortionists are traditional “hacking” of confidential information held in online databases and “denial of service” attacks in which hackers flood the flow of information to Internet sites to prevent legitimate use. In addition to financial service companies that host monetary or credit transactions, online retailers are particularly vulnerable, Gow says, “and these days, many companies have some sort of online sales function, which means they are capturing credit card numbers and other private customer information that is very valuable to criminals.” Because of the federal requirements under HIPPA, medical industry companies are also big targets for cyber extortion and hacking, he notes. Agents and brokers who specialize in technology risks say that as the exposures are growing, insurers are responding with redesigned coverage and broad availability for employers of all sizes. About 15 insurers provide some sort of cyber liability in about 30 different products and packages, agents say. Peter R. Taffae is managing director of Executive Perils, Inc., in Los Angeles, a wholesale broker specializing in technology and professional liability. The firm has nine employees and markets cyber liability coverage that meets what he says are the new standards of risk. “There is still a broad misconception among small to medium-sized employers that their comprehensive general liability and business package policies will insure them against cyber risks,” Taffae says. “In most cases, they are wrong and the coverage for these risks is either excluded or extremely limited. It really is up to their retail agent to identify their risks with a risk management audit and communicate the need for additional appropriate coverage.” Taffae says admitted markets can provide up to about $50 million in total limits, but most policies will be for much lower limits—from $100,000 for small businesses to about $10 million for larger companies. Underwriters include ACE USA, American International Group, Chubb Group, The Hartford Insurance Group and Lloyd’s of London. Coverage and exclusions vary widely. For example, ACE USA offers coverage for both first- and third-party digital risks. A digital technology and professional liability policy provides professional liability coverage for technology and Internet errors and omissions, electronic media liability, network operations security liability and cyber extortion. Minimum premium is $15,000 and limits of up to $25 million are available. ACE also recently announced the Digital DNA Network Risk program, which insures against organizational and data losses resulting from digital risks. The policy covers business interruption losses, cyber extortion losses, loss of digitally stored assets and security failure compliance expense. Limits from $1 million to $15 million are available, Gow says. * |
|||||
|
