Are you armed and protected or are you living dangerously on the e-frontier?
By Barbara Aarsteinsen, Editor, ci – Canadian InsuranceMagazine (August 2002 issue; Reprinted with permission)
August, 2002 – Technology holds out a universe of opportunities — and an unnerving world of emerging risks. The digital age has revolutionized the way in which business is conducted but with the advances have come new threats and vulnerabilities.
The growing dependence on electronic exchanges, online transactions and automated processes means that information has become a key corporate asset and data flow a critical operating function. Communicating and interacting in cyberspace may be a wondrous thing but it’s fraught with perils.
When you’re a risk manager, there are a lot of scary possibilities to keep you up at night. Cybercrime is the latest nightmare.
Viruses are probably the most high-profile kind of threat. There are more than 50,000 strains out there and new variants pop up all the time. But there is a whole slew of potential problems in the wired world beyond computer bugs.
There are hackers and vandals and industrial spies to worry about, not to mention vengeful employees out to wreak havoc or simply careless workers who cause damage by innocent error. There’s the prospect of business interruption due to computer downtime or system problems with suppliers or business partners. Intellectual property can be pirated or confidential information stolen and privacy breached. Consider the danger of e-extortion, brand defamation and libel. And sites can be hijacked, with intruders replacing legitimate material with bogus information.
“Cyber crime is commonplace and the losses are significant,” says Richard Power, author of Tangled Web: Tales of Digital Crime from the Shadows of Cyberspace and editorial director of the Computer Security Institute (CSI), a San Francisco-based association of information security professionals. “There is a range of cyber threats.
“They don’t have the physical impact of smashing an airplane into a building but they can do serious damage — not only to a corporation or a government agency but to the economy of a country and to the psychological well being of a country.”
Alert to a fresh opportunity, a handful of insurers and brokers have over the past few years been creating specialty policies to cover cyber exposures. It’s been a hard sell, many acknowledge, as may well be expected when any pioneers enter uncharted territory.
However, the current players say they’re making headway as the awareness of the nature and extent of cyber crime increases — especially in the wake of Sept. 11, which put security concerns, including information security, on everybody’s front burner.
“I would have said 12 months ago that we were a voice crying in the wilderness,” says Jeffrey Grange, vice president and global manager of financial fidelity product, department of financial institutions, for Warren, N.J.-based Chubb & Son. “But in conversations that I’ve had recently with risk managers there’s absolutely a growing understanding of the real problem.”
Chubb has been underwriting specialty cyber policies for financial institutions for a little over a year. Grange says he receives about 12 to 15 submissions a week from U.S. and Canadian companies.
“Sept. 11 really spiked a lot of interest in the products. People are looking at the next possible threats,” says David O’Neill, Baltimore-based vice president of e-business solutions for Zurich North American Financial Enterprises. Zurich developed its e-commerce risk program in 1999 and introduced an expanded second-generation version this spring.
“The first quarter was very, very good for us,” he says. “If we didn’t see this as a very ripe field, we wouldn’t be investing all this time and effort.”
Risk managers say they are indeed adding cyber threats to their list of concerns. In fact, this year’s annual convention of the Risk Insurance Management Society, the largest risk management association in the world, featured several seminars on the subject.
But while they’re taking a closer look at the information security issue and the stakes involved, many don’t yet feel a sense of urgency, particularly as they struggle with the challenges of the hard market and rising premiums. Cyber insurance is still relatively pricey and potential insureds are often required to undertake a comprehensive risk assessment, involving considerable due diligence.
Moreover, there is still some Y2K backlash among risk managers, brokers and underwriters report. On the one hand, while the millennium brouhaha may have prompted many businesses to assess and better understand their dependence on technology, it also left behind some resentment.
Some people feel that they may have been panicked into excessive IT and security spending. Of course, Y2K may have turned out to be largely a non-event because of the fact that preventative measures were taken, but there are still apparently some lingering suspicions about cyber fear mongering.
“Everybody has been having a look, including ourselves. There are valid arguments for it but it is not a policy for everybody,” says Ed Martingano, the Toronto-based risk manager for Oxford Properties Group Inc. “It’s part of a risk manager’s job to be on top of it and aware of what new products are being developed, but that doesn’t mean it’s an exposure that has to be insured.
“Sure, everybody does have exposure but what’s your danger,” he explains. “You have to weigh the cost of buying the insurance, say for 10 years. Maybe it’s better to assume the risk and get hit sometime in the next 10 years. There’s a difference between being hacked and embarrassed and suffering real loss.”
According to RIMS president Christopher Mandel, cyber insurers and brokers are engaging in some “scare tactic selling.
“We don’t have it. We looked at it but we’re not feeling nearly as much risk as the underwriters would like us to think there is,” says Mandel, assistant vice president of enterprise risk management for the United Services Automobile Association, an insurance and financial services organization for the U.S. military community.
“We have controls in play. I’ve engaged our head of IT, who’s told me it’s not an issue for us — if he says it’s not an issue then no underwriter is going to convince me otherwise.”
David Mair, the outgoing RIMS president and associate director for risk management for the U.S. Olympic Committee, says he has weighed the cyber liability issue but he feels that the majority of his risks are covered by policies that he already has in place.
“It depends on the risk manager and the business involved,” he says. “Yes, it’s necessary for some organizations. It’s definitely an expense for everybody with a Net presence. But it’s built into three other policies that I carry.”
What’s the danger?
It’s impossible to precisely quantify cyber crime and the extent of the damage being incurred. Many attacks and transgressions go unreported — because they’re not detected, because many companies don’t want any bad publicity, because there are worries about civil liability, and because there are fears that public exposure will set victims up as easy prey, prone to further violations.
However, research by the CSI, which has been carrying out polls for the past seven years, suggests that it’s a significant and growing problem. In its 2002 Computer Crime and Security Survey, conducted in collaboration with the San Francisco-based Computer Intrusion Squad of the Federal Bureau of Investigation, CSI found that 90 per cent of respondents had detected computer security breaches within the last 12 months and 80 per cent acknowledged financial losses as a result.
That survey is based on responses from 503 computer security practitioners in the U.S., including corporations, government agencies, financial institutions, medical institutions and universities.
“Over the seven-year span of the survey, a sense of the ‘facts on the ground’ has emerged,” suggests CSI director Patrice Rapalus. “There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace.”
Forty-four per cent of the respondents were willing and/or able to quantify the hit they took, putting their losses at $455.8 million (US). That’s up from $377.8 million in 2001 and has soared from $100.1 million in 1997.
p class=”normal”>The most serious losses came from the theft of proprietary information — more than $170.8 million, with a highest individual loss of $50 million and an average loss of $6.6 million. That compares with $20 million in similar losses in 1997, with a highest loss of $10 million and an average loss of $954,666.
p class=”normal”>Alexandria, Va.-based Riptech Inc., which provides security services, recently surveyed 300 companies in 25 companies, discovering that Internet security attacks per firm increased 79 per cent between July and December 2001.
About 39 per cent of those incidents appeared to be deliberately targeted at a specific organization while 61 per cent appeared to be opportunistic, that is, the attacker was broadly searching for any vulnerable system. Companies in the high-tech, financial services, media/entertainment, and power and energy sectors were hardest hit, each averaging more than 700 attacks during the six-month period.
“The Internet security threat is real, pervasive, and perhaps more severe than previously anticipated,” Riptech concludes. “Stakeholders of Internet-connected organizations should ensure that appropriate measures have been taken to address this increasing threat rate.”
Fact vs. fiction
Although awareness of cyber danger is rising, there are apparently still a lot of misunderstandings that jeopardize true comprehension of the risks involved. The No. 1 fallacy, security experts and cyber insurance professionals report, is the belief that only high-tech companies have a tender underbelly – the “it can’t happen to me” syndrome.
If there is one message that cyber gurus want to get out, it is that virtually everybody is vulnerable in some way or anther. Cyber crime is not just a problem for e-commerce firms or businesses with a Web site. A company with an Internet presence is obviously exposed but a company that is simply using Internet platforms for e-mail is also at risk.
“Look at your technology configuration at a data level, at a switch level, at a data storage level, at an outsource level, then you begin to realize,” says Chubb’s Grange. “You may not have an external, interactive customer Web site but you probably do a lot right now to support your office that is entirely dependent on an interconnected network environment.
“Don’t focus on what you do on the Web — focus on your critical infrastructure, focus on your data,” he urges. “That is the bricks and mortar today, if you will. That electronic Internet backbone is the bricks and mortar of businesses today, every business.”
There is precious little immunity in the cyber sphere, agrees Jill Tellez, director of the Chicago-based network risk group for Aon Risk Services.
“‘We really don’t do that much on the Internet’ — that’s the first misconception. That, I think, from an industry perspective, is a mistake that everyone made when they came out calling this e-commerce insurance and Internet insurance, and that’s why we changed it to network risk insurance,” she says. “What I tell people is that the Internet is simply a vehicle with which you are transacting business.
“If you’re big enough to have a risk manager, then you’re at risk. If you’re a smaller bricks and mortar business where you still have your accounting person in the back with an old PC and you don’t have e-mail, you probably have very little risk and it’s not mission critical to your business — you’re not going to lose any revenue.”
The second-most prevalent fallacy that worries cyber experts is the widespread belief that cyber offenses are the work of amateurs out for a malicious thrill.
“We try very hard to disabuse people of the notion that most cyber crime is perpetrated by juveniles or sport hackers,” says CSI’s Power. “Those are simply the stories that end up in the headlines because corporations and governments will grudgingly admit to those kinds of cyber attacks, and because juveniles and sport hackers get caught since they’re not professionals. The professional attacks are not reported.”
Moreover, Power points out, the professional attacks come from within organizations as well as from external sources. Indeed, some security experts figure that inside jobs account for as much as 80 per cent of cyber incidents.
“The internal threat is by far the biggest threat,” says Rick Shaw, president and CEO of CorpNet Security of Lincoln, Neb., which works with e-Sher Underwriting Managers in advising cyber insurance clients. “Disgruntled employees have a lot of motive; former employees have a lot of motive. Sometimes they simply divulge information by mistake.
“The internal threat is very big and it’s constantly changing. It’s very hard for companies to keep up with.”
But is special insurance necessary?
San Jose, Calif.-based Dataquest Inc., a unit of Gartner Inc., reports that the worldwide security-software market will hit $4.3 billion (US) this year, up 18 per cent over 2001’s $3.6 million in spending. However, increased IT security is only one piece of the puzzle because cyber experts contend that even the best defense measures cannot completely prevent cyber crime.
“Through the life of our survey, one of the most compelling results has come from asking questions about how security technology is used,” says CSI’s Power. “Eighty per cent, 90 per cent of the respondents have fire walls but 40 per cent will report penetrations from the outside. Eighty per cent to 90 per cent will have anti-virus software but 80 per cent to 90 per cent will report getting hit by viruses and suffering significant losses.
“Does it mean the technology is not any good? Well, there are some things people don’t deploy properly, people don’t manage properly, or people maybe buy the cheapest firewall or they don’t update their anti-virus software, ” he says. “But the overarching issue really is that technology is only one component of an overall solution to address the risks and threats in cyberspace.
“In the IT world, there is the perception that technology solves every problem, including the ones it creates, which is just not the case.”
James Finn, a principal for Unisys Enterprise Security Consulting Practice, has helped more than 200 companies in 28 countries assess their IT security. In the process, he has “ethically hacked” into each and every customer’s network system and has traveled the world meeting hackers and learning their techniques.
“If there are multi-billion companies that can’t get it right, are you sure you or your clients and partners have got it right?” he wonders. “As a good hacker, I can tell you that you take pride in not being detected. If you tell me that you’ve never heard of anybody breaking into your network, I would say that’s when it’s time to worry.
Firewalls, encryption, detection intrusion programs, and anti-virus software are important countermeasures but no system is completely impenetrable; there are no absolute guarantees, security experts agree.
As Keith D’Sousa, Toronto-based senior manager in KPMG’s risk advisory services points out, “if you ever had total security, you would not be able to do business because there would be so many controls.” So, to mitigate the residual risk, insurance is therefore necessary as the last line of defense.
“If you own a business, you buy fire insurance — it doesn’t matter what business you’re in. You don’t say I’ve got a sprinkler system and a fire extinguisher, so I don’t need insurance. That would be laughable,” says Ty Sagalow, New York-based executive vice president & chief operating officer of AIG eBusiness Risk Solutions, a division of American International Companies.
“The buildings of the 21st century are networks. The assets of the 21st century are information assets.”
The hitch is, most traditional policies, written for a bricks-and-mortar world, fall short of the mark. There are dramatic gaps in coverage that don’t protect against all the emerging risks, which are, of course, increasing and evolving all the time.
Some companies have been able to negotiate coverage to bridge the holes but carriers, worried in particular about the potential aggregation of risk exposures from a single cyber attack affecting multiple insureds simultaneously — a so-called cyber hurricane or digital earthquake — are taking a harder line and are eliminating electronic data and network liabilities from conventional general liability and property polices.
Exclusions now abound and the expectation is that soon there won’t be any coverage except for separate specialty policies.
“Last year, we were pretty comfortable in saying telling risk managers to go to their property carriers, take some extension of terms, have them define property in tangible and intangible terms, have them define data, clarify business interruption, etc. — and we were somewhat successful in getting that. Twelve months later, we are seeing absolute exclusions,” says Tellez, who put a multi-disciplinary team together 18 months ago to advise clients specifically on cyber risks.
“Now, you’re not going to find much coverage in property. If you can, if you have a very unique manuscript form, you may it have for another year. But I’m going to tell you that the reinsurers are really prescribing exclusions of coverage.”
Given the extent of the exclusions, numerous companies are effectively self-insuring without a self-insurance program, maintains Donald Harris, underwriter for technology products at Irvine, Calif.-based e-Sher Underwriting Managers, a unit of whole insurance broker Swett & Crawford.
“More and more, we’re seeing changes in standard policy forms carving out Internet kinds of exposures,” he says. “Without a specific policy form to address these coverage issues, many companies are essentially going bare.”
Poised for growth
Pricing has also scared off many potential cyber insurance customers. Network risk coverage is considered expensive, costing anywhere from about $15,000 to $30,000 (US) for $1 million in coverage, and many risk managers therefore perceive it to be a policy for big companies. A handful of businesses have received $200 million in coverage but the upper limit is usually in the range of $25 million to $50 million.
“Is it expensive? It can be,” says Aon’s Tellez. “Let’s put it this way — it’s not in most risk management budgets. And it’s a large enough item that, if it’s not budgeted for, it will most likely not be purchased within the first year. It’s not a throw-in to a budget.”
As well, there are no standard forms, so cyber insurance buyers must carefully shop around and really compare the options.
There are two broad areas of cyber coverage. First-party coverage protects against losses suffered by the insured as a result of loss or damage to assets — downtime or systems damage arising from a virus, for example. Third-party coverage protects the insured against lawsuits arising when customers or trading partners are affected by first-party situations, such as theft of confidential information. Most of the insurers and brokers involved are trying to develop a range of products to suit various kinds and levels of need.
The number of players is still pretty small. There are lots of challenges, including the fact that the sector has not racked up much of a loss history and that limited track record makes it difficult to assess risk in such a rapidly changing environment. As well, underwriters have to fundamentally re-evaluate traditional concepts of jurisdiction and geographic scope of coverage.
AIG, which has written about 2,000 cyber policies over the past two years, accounts for about 70 per cent of the market.
“It take a high degree of capital; a high degree of commitment, especially from senior management; and you need to see a payback from premiums,” points out Zurich’s O’Neill. “You pretty much have to create a separate infrastructure, with a dedicated staff.”
A natural evolution will continue to take place, market participants predict. However, the intensifying spotlight on corporate governance is seen as boding particularly well for cyber insurance. As boards of directors are being held more accountable amidst a spate of scandals, senior managers are expected to feel greater urgency about cyber vulnerabilities.
In fact, a new poll from McKinsey & Co., conducted in April and May, discovered that more than 60 per cent of institutional investors worldwide say they’re eschewing investment in any companies with poor governance practices. The survey of 200 large investors in 31 countries also found that 75 per cent of the respondents would pay a premium for companies with sound governance.
“In the beginning, we were leading the conversation; people were interested but that was as far as it went,” says Lloyd Ellam, Ottawa-based vice president and technology practice leader for Marsh Crisis Consulting. “We’re now seeing the people sitting on boards asking their risk managers about what their exposures are. It’s starting to sink in.”
Some big claims or a well-publicized lawsuit could be “useful,” concedes Chris Cotterell, director and founder of U.K.-based Safeonline, a digital risk specialist brokerage that set up shop in 1998 in the Lloyd’s Building in London. But he’s confident that the sector has still got legs without any high-profile disasters to propel it along.
“This will probably continue to be a specialist area for awhile, although some of the bigger brokers are setting up specialist units,” Cotterell predicts. “But all of the big insurers want to get into this arena — they want to be in this space.
“This is potentially one of the biggest areas in the next few years. Right now, they’re just working out their strategy. Then the sector will gain momentum.”
Harris of e-Sher says he just keeps on doggedly sending out proposals and quotes. “We’re laying the groundwork. We should see a critical mass develop within the next two years, once we get past the hard market.”
The New Risk Assessment Challenge
While insurance and IT security experts urge risk managers to add cyber risks to their agenda, they don’t want them to bear the burden alone.
While there is a growing school of thought that risk management in general should be an enterprise-wide undertaking, the broader approach is particularly advocated when it comes to cyber exposure.
It is urged that so-called silo management, where each department keeps to its own domain, be abandoned in favour of a cross-functional tack, wherein digital risks are handled by a team made up of a variety of stakeholders – top executives from the IT, finance, risk management, human resources, operations and legal arenas.
Richard Power, editorial director of the Computer Security Institute, suggests the appointment of a chief security officer to head such a multi-disciplinary team and he would like to see that person have a seat at the boardroom table alongside the CEO, CFO, COO and CIO.
“Security has got to be a global thing,” says Power, arguing that there are no quick fixes. “IT departments and, to a large extent, boards of directors, really see IT in terms of cost-saving, power, speed, ease of use. They do not accept the downside of it.
“Information security is always very isolated. I spent 10 years in Silicon Valley and I never heard the word security. ”
There is often a “disconnect” between risk managers, IT practitioners and senior management, and that lack of communication can have a variety of repercussions, says Jill Tellez, director of the network risk group of Aon Risk Services Inc.
“There is no question that there is a Catch-22 in assessing your risk,” she suggests. “Some companies aren’t addressing it because if they’re not aware of it they don’t have to deal with it. Once you become aware that you’ve got a risk and it’s not insured, now is it negligence on the part of the directors and officers because you didn’t do anything about it?
“So, I think sometimes people are comfortable just kind of keeping their heads in the sand, saying hey, we did our best and we thought our technology people were taking care of this.”
Cyber experts recommend that risk managers undertake a comprehensive cyber risk assessment, a thorough examination of current systems and security ideally involving an impartial third party. Some insurers require extensive evaluations before they will even consider cyber coverage applications and several are partnering with security services companies, which will handle such audits.
“I don’t think we can talk about risk transfer until we talk about assessment,” says Tellez. “When we talk potential gaps in our current coverage, how can we know, first of all, if the gap exists or how do we know to the extent that we want to do something about it.
“In our opinion, and we have built a consulting practice around this very subject, it is very difficult to put your arms around what are the risks to the organization to make the determination that your current coverage fits or if you need to look at a stand-alone special product. ”
There is a multitude of questions to be asked. What is your key business model and how dependent are you on electronic processes and interactions? What is the nature and extent of your intangible assets? How are you treating that information and what value is it to the organization? What are your system vulnerabilities – have you ever done a hack to detect weaknesses?
“Security is not the be all and end all – it’s a process,” says Keith D’Sousa, Toronto-based senior manager for KPMG’s risk advisory services. “You have to constantly keep up with the new vulnerabilities. There is never really an end point.”
What happens if your system crashes – what is the maximum allowable downtime? Is there a revenue stream interruption that would hit profit margins? Are you offering any services to others through electronic means and what happens if you fail to deliver? What is your business continuity planning? Do you have clear policies that communicate your IT and security philosophy, so that employees have no doubt about what is acceptable and unacceptable behaviour?
“We did an online assessment and we scored pretty high. But we had some work to do and we needed to spend more time educating our employees, offering more training regarding security. We also realized that security has to be constantly evolving,” says Reggie Davis, associate general counsel for Yahoo Inc., who was inspired to take cyber exposures more seriously after hearing a specialist broker speak at a conference.
“Yahoo, in the last two years, has significantly grown its ability to assess its risk, to mitigate its risk and to transfer risk,” he says. “Before, the company was focused on growing the business, on being successful. It was not mature in its approach to insurance. We needed to elevate our game, to get in a best-practices mode.”
Once risk managers have established their security baseline, they need to devise an action plan to address weaknesses that have been uncovered and build in assessment methodology and compliance procedures, says James Finn, a principal for Unisys Enterprise Security Consulting Practice. That should be followed up by regular external briefings on the major security threats.
“Get management to view security from a business imperative perspective rather than a return on investment perspective,” he says. “When you decide to put a front door on your business you don’t do an assessment of return on equity. No, it’s a basic thing. It is not debatable.”
— By Barbara Aarsteinsen
What are the general network risk insurance provisions and exclusions?
- Loss of Income/Business Interruption/Extra Expense
- Virus Coverage
- Crime/Extortion Coverage
- Crisis Management/PR Expense
- Publishing/Media Offenses
- Breach of Confidentiality/Privacy
- Technology Errors and Omissions
- Denial of Access/Contingent Business Interruption
- Patent Exclusion
- Fraudulent Use of Credit Cards Exclusion
- Trade Secret Exclusion (most exclude, some allow by endorsement)
- War/Terrorism Exclusion
— Aon Network Risk Consulting Group