You're reading riskVue.

THE WEBZINE FOR RISK MANAGEMENT PROFESSIONALS


Enter your e-mail address to get our free monthly e-newsletter
LEARN MORE


Search riskVue's hundreds of risk management articles
TOPICAL INDEX   ISSUE-BY-ISSUE INDEX

RISKVUE ARCHIVE | FEATURE STORIES

Who’s Afraid of the Big, Bad Cyber-Wolf?
Insuring Your Company Against Today’s E-Business Risks

By Philip Pierson, Founder and Manager, e-Sher Underwriting Managers, Irvine, California

How likely is it that your company network will be broken into by hackers or attacked by the latest rash of computer viruses? Is the insurance industry crying, “Wolf!” or are there “real” risks out there? Experts claim that computer hackers and viruses alone will cost businesses more than $1.5 trillion this year.1 Industry statistics and reports are making risk managers sit up and take heed.

As a megabyte-dependent, highly network-connected society, business survival is fought on the battlefield of interactive cyberspace. Unfortunately, cyber criminals are also hip to the digital realm, and are using their electronic wiles to wreak havoc. According to research by Price-Waterhouse, U.S. businesses are at risk of losing billions of dollars due to e-business attacks and accidents.

Today with more businesses relying on their computers, network connectivity, e-mail systems, and the Internet, risk managers must assess their company’s exposures, risks and liabilities, and seek appropriate security measures and e-business insurance coverage in the event of a catastrophic incident.

Form an e-Risk Assessment Team

To truly assess your company’s exposure, pool together experts from information technology, network security, financial management, and risk management departments. Together you should examine the five main components of the company’s system infrastructure—areas that can expose your organization to electronic risks:

Environment: the physical characteristics surrounding a computer facility and equipment including power and water sources, doors, alarms and ventilation

Connectivity: the interfaces that enable computers and other devices at the site to provide Internet-based users with desired services, and those that allow Internet-based visitors to contact and use corporate resources. These include routers, firewalls, hubs, wiring/cabling, modems etc.

Platforms: the end points of connectivity, usually physical computers and operating systems that are deployed as Internet servers, database servers, routers, firewalls and desktop computers.

Services: the utility and application software and services that are user developed, vendor-provided and/or purchased from third parties.

Human Factors: the people that affect the performance and security of the system.

The exposures associated with each of these components will vary by degree, depending on the size of your company and the sophistication of your systems and networks. But a breakdown or failure in any of these areas can be extremely costly to identify, repair and restore, and may have a devastating effect on internal and external communications, customer relations, sales, and profitability.

Even the smallest company can be faced with financial ruin if the ability to conduct business is halted by system or software failures, malicious assaults on databases or data files, or by computer or network sabotage from an internal or external security breach.

Assess Specific E-risks

Last year, major companies like Buy.com, Yahoo, and eBay were shutdown due to “denial of service” attacks. CD Universe was hacked into and held hostage as hundreds and thousands of credit card numbers were stolen. Perhaps the most shocking example of “netspionage” was perpetrated against the computer giant Microsoft’s internal network, stealing priceless digital blueprints of future products.2

As you can see, new age cyber-perils can threaten a company’s competitiveness and ability to survive in the global marketplace. Your company should assess its vulnerability to the most common and costly electronic exposures:

Virus Attacks: Viruses can be very disruptive to an organization’s productivity and sales. U.S. businesses with more than 1,000 employees stand to lose more than $266 billion to viruses alone this year.3

Denial of Service Attacks/Electronic Sabotage: A denial of service attack occurs when a Web site server is bombarded with a staggering amount of traffic, eventually disabling the network. A DOS attack, on the other hand, can be as simple as one message, like “the PING of death,” that can stop a process cold.

Security breach/Cyber-terrorism/Netspionage: Security breaches can amount to billions in damage each year. According to the American Society for Industrial Security in 1999, Fortune 1000 companies sustained losses of more than $45 billion from the thefts of proprietary information alone. In-house security breaches are also on the rise, accounting for 70–90 percent of attacks on corporate networks.4

Fraud/Modification of Information: The Internet Fraud Council estimates that Internet fraud cost between $9 and $108 billion in 1998 alone.5 As incidents of electronic fraud spiral out of control, the lack of privacy for online consumer information is another exposure area. Credit card numbers, bank account numbers, medical information and other data can be grabbed off “private” systems and used in fraudulent ways.

Equipment/Software Failure: Internal or external equipment and process failures can result in millions of dollars in damage, including assessment and troubleshooting the system, loss of new business, damage to credibility and legal fees.

Companies that recognize and address their e-risks today will be able to effectively compete in tomorrow’s marketplace. Although many security breaches aren’t meant to cause damage, the risks of going without coverage are simply too great to ignore in our increasingly e-business dependent economy.

Effective contingency planning is critical to mitigate potential losses. The actual implementation of these plans is costly and can have significant impact on operations. For example, redundant systems designed for recovery after a system incident has occurred are extremely expensive to maintain. E-business insurance policies can complement contingency planning by covering the cost to implement redundant systems and other plan elements that trigger extra expense, such as public relations costs to handle crisis management and legal fees to cover Internet-related lawsuits.

Quantify Your Organization’s Potential Losses

The biggest barrier to understanding your risks and potential exposures is helping your organization understand the breadth of Internet-related risks. Cyber attacks cost U.S. companies an average of $265 million last year—more than double the average annual losses for the previous three years—according to a study by the San Francisco-based Computer Security Institute (CSI) and the San Francisco FBI Computer Intrusion Squad.6 In fact, 70 percent of the respondents (primarily large corporations and government agencies) experienced network intrusions in the past 12 months.7

As the threats continue to grow, your organization must quantify its potential losses—the most difficult aspect of e-business risk assessment. Companies need to look at five main categories, adding their maximum potential losses in each area to determine their TOTAL potential for loss:

Loss of Productivity/Absorption of Recovery: There is no easy way to estimate the cost of system downtime. The cost will obviously depend on the size of the business, the number of operations dependent on the system, the type of industry, and the time the system is down.

  • Computer Reseller News estimates today’s cost of system downtime, not including lost revenue, at $300 per minute for a medium-sized LAN to $633 per minute for a larger network.8
  • Market data from Contingency Planning Research calculates system downtime costs in a range from $1200 per minute for a retail business to $108,000 per minute for a financial brokerage operation.9

Cost of Upgrading Security Infrastructure: Once your organization has experienced a security breach, the cost of upgrading your security infrastructure can be a costly part of responding to the incident. The number of companies spending more than $1 million per year on computer security has doubled in 2000, but internal and external breaches continue to rise.

Lost Sales: Most businesses have a pretty good idea of how to measure lost sales. If your business typically averages $5,000 an hour in e-commerce sales, then three hours of downtime would result in a loss of $15,000. More difficult to measure is the loss in potential sales.

Loss of Business Reputation/Credibility: If a company experiences a denial of service attack or a major equipment failure, customers may view it as unprepared—or even incompetent. Loss of credibility can also result from the deliberate intent of a third party, such as a customer or disgruntled employee who uses an Internet chat room or message board to criticize, scandalize or otherwise slander an organization. Some reporters use online complaints as fodder for news stories, wreaking havoc on a company’s image and reputation.

Legal Costs: Many security breaches or Internet slander cases end up in court. Companies should determine the potential legal costs of various scenarios and be prepared to include these legal costs in their assessment of potential damages.

Assess Your Coverage Gaps

It is questionable whether traditional business insurance will cover these intrusions and e-business liabilities, as policies were written long before the Internet, electronic communication or e-commerce. The language focuses on very tangible, real-world property and perils. Even general liability policies may not cover new third-party liabilities that occur as use of the Internet increases. These policies were not written to cover the digital data exchange in cyberspace or to protect companies in their role as publisher of a Web site or proprietor of an e-store. E-business has unique loss exposures that require new insurance products and risk management techniques.

Your organization must determine if it has potential coverage gaps and inconsistencies. Traditional definitions of media liability and errors and omissions insurance do not address Web page creation or online financial transactions involving confidential data.

Standard directors and officers liability insurance policies may not apply because they generally do not cover corporate entities. Lawsuits arising out of a company’s online operations will most likely look to the company as the primary defendant, not its officers. In addition, it’s nearly impossible to hold software vendors and IT service provides contractually responsible for losses without risk transfer.

To be fully effective, your organization must explore the in-depth definitions, limitations and special clauses in their existing coverage to identify its potential gaps and exposures, and the potential financial losses from these exposures.

Select a Cyber Insurance Plan Created Specifically for the Electronic Age

It doesn’t matter how big or small your business may be—it is still a potential target for cyber-crime. Today’s companies are more vulnerable than ever before to damage caused by computer hackers, data thieves, disgruntled employees and computer malfunctions. In this environment, opportunities for Internet-related coverages are growing, as are companies’ needs for protection tailored to their specific risks.

Even with the most sophisticated security measures, companies are still vulnerable and can’t completely eliminate risk entirely. E-business coverage can be customized for businesses of almost any size or industry, including those with high exposure, such as financial institutions and healthcare providers.

E-business insurance will help cover business interruption and lost revenue, as well as cover first- and third-party network incident damage. These types of policies would include electronic extortion protection, data and software replacement, and electronic communication liability such as confidential records and electronic publisher’s liability. A company should also protect against negligent acts such as liable, slander, copyright infringement and plagiarism in the electronic realm.

To assist with security protection, an e-business insurance plan should offer services for security analysis, risk management consulting services, and crisis response support.

Choose an Underwriting Partner with a Comprehensive E-Package

When selecting e-business insurance, find an insurance carrier or managing general underwriter (MGU) that can offer your company specialized experts and a comprehensive package, including flexible customized options and other security, risk assessment, crisis management and technology services through their strategic partnerships. Your company’s insurance broker is a good resource to help identify specialized carriers or MGUs. A complete package will help your company to:

  • Identify its particular exposures and liabilities
  • Strengthen its internal network security
  • Immediately detect security breaches as they occur and find the source of intrusion
  • Assess and document damage from a cyber attack
  • Assist with crisis communication and redundant system deployment
  • File and be paid for claims promptly and accurately
  • Insure your company against losses and damages in the event of a catastrophic event.

Without a complete package, your company’s losses can mount astronomically.

Choose an underwriting partner that works with technology companies to offer risk assessment and intrusion detection software that immediately detects breaches and documents damage. In this way, your company’s internal security system is strengthened, and when an intrusion occurs, it is quickly detected, stopped, and losses are minimized. These underwriting managers often offer premium discounts to companies that install such software.

Also select an underwriter or underwriting manager with a good reputation for processing claims. They should be able to bring in the necessary financial and damage assessment professionals to accurately evaluate losses and damage, and be able to price and settle a claim in a timely manner.

Finally, you may wish to have your broker work with a specialized underwriter that can spend time with your company outlining the various insurance coverages and policies out there. The underwriting manager should help you to understand the particular cyber risks and liabilities your company is exposed to. Some underwriting managers will conduct risk-mapping workshops and presentations for your senior management and bring overall security and risk expertise to the consulting table.

Conclusions

Although more companies are investing in network security products and services, security breaches are still on the rise. The best and least costly defense against the big, bad cyber-wolf is one that allows your company to keep damages to a minimum by having the proper security, crisis management and insurance plans in place.

By filling in the gaps in a company’s traditional insurance portfolio, e-business insurance helps organizations address all the unique risk management challenges they face as a result of engaging in e-commerce. Make sure your company maintains the appropriate insurance coverage as the business grows. Work with an agent who can continually keep you apprised of new coverage offerings as the insurance market develops. In turn, keep your agent informed of your company’s growth, so he or she can reassess coverage as your business increases in value. 

Notes
1 “Viruses and Hackers Costing Business Big Bucks,” CyberAtlas, and InformationWeek Research study, July 2000; Fielded by PricewaterhouseCoopersLLP.
2 “Microsoft Hack Shows Companies Are Vulnerable,” by REUTERS, October 29, 2000.
3 “Viruses and Hackers Costing Business Big Bucks,” CyberAtlas, and InformationWeek Research study, July 2000; Fielded by PricewaterhouseCoopersLLP.
4 “The Enemy Within” by Sharon Gaudin, Network Fusion World.
5 “Council Formed to Fight Fraud,” REUTERS, Special to CNET News.com, May 11, 1999.
6 Quinn, Andrew, “Computer Security Attacks, Losses Surging - Study,”Reuters, March 22, 2000.
7 Quinn, Andrew, “Computer Security Attacks, Losses Surging - Study,” Reuters, March 22, 2000.
8 Lancast, “Safeguarding Non-Stop Networks with the Lancast Redundant Twister,”; White paper, pg. 2, 2000.
9 Lancast, “Safeguarding Non-Stop Networks with the Lancast Redundant Twister,” White paper, pg. 2, 2000.

ABOUT THE AUTHOR

Philip Pierson is vice president technology services for Sherwood Insurance Services and founder and manager of Sherwood’s proprietary facility, e-Sher Underwriting Managers, a company works in conjunction with leading edge security assurance developers, counselors and intelligence experts to provide policyholders with high quality risk and security assessments and products, to avoid or at least mitigate damage to computer networks and information assets before they occur.

riskVue | The webzine for risk management professionals
September 2001

Browse This Month's Articles

Useful Web Tools

ISSUE ARCHIVE

Issue-by-Issue Article Index

Topical Index

MORE RESOURCES

Industry Event Calendar

Risk Manager’s Guide to All 50 States

FREE OFFERS

Get riskVue's free monthly e-mail

Download our White Paper, "How To Choose and Use a Risk Management Consultant"

ABOUT RISKVUE

Learn more about riskVue

Call for Authors

Advertise

Get riskVue Banners

Privacy Policy Legal Notices Site Map


Copyright ©1999–2008 by Warren, McVeigh & Griffin, Inc.
ISSN 1553-8826

Warren, McVeigh & Griffin, Inc.
Risk Management Consultants
1420 Bristol Street North, Suite 220
Newport Beach, CA 92660
949-752-1058 Telephone
949-955-1929 Fax
www.riskvue.com
www.griffincom.com

Comments? Questions? Suggestions? We’d like to hear from you. Address your e-mail to the riskVue Editor.

Privacy Policy | Legal Notices

Warren, McVeigh & Griffin, Inc., one of the oldest and most respected independent risk management consulting firms, is ready to work with you. Call us today at 949-752-1058 for a free initial consultation, or visit our Web site for more information.