Most Companies Have Cyber-Risk Gaps in Their Insurance Coverage

Traditional insurance policies not adequate for cyber exposures: I.I.I.

NEW YORK, August 13, 2003 – As companies become more dependent on their computer networks for vital data, business continuity and communications, their vulnerability to cyber catastrophes increases.

“Unfortunately, most companies are operating in a 21st century threat environment with 20th century insurance coverage,” states John Spagnuolo, cyber expert for the Insurance Information Institute (I.I.I.). “The dynamics of risk management have changed with technology.”

The insurance industry has developed cyber insurance products to help businesses confront the growing number of network security risks that have the potential to shutdown a network, destroy vital data or steal customer information. For example, as the public becomes more concerned about privacy, businesses will become more aware that they are liable if their customers’ personal information is compromised. However, only a small number of businesses are properly insured.

According to a recent Ernst & Young survey of 1,400 organizations in its 2003 Global Information Security Survey, only seven percent of respondents knew they had a specific insurance policy geared to this network and cyber-risk. Nearly a third (33 percent) thought they had coverage they actually lacked. Another 34 percent knew they lacked such coverage, while 22 percent didn’t know the answer. Ernst & Young characterized the fact that only 7 percent of surveyed companies had cyber insurance as “astonishingly low, given the risk environment and the fact that general policies don’t provide such coverage.”

“Regardless of its product line or service, virtually all major businesses today rely on computer networks to function,” adds Spagnuolo. “But they need to recognize that network security risks are fundamentally different than traditional physical risks like fire. If a hacker or virus shuts down a network or destroys computer software or data, most businesses today have either limited or no coverage. Insurers have excluded these risks from standard commercial policies and are now offering stand alone coverage. Whether your company conducts business over the Internet, stores customer data on servers or simply uses email, it is at risk.”

The Risk

In fact, the number of incidents reported rose by 377 percent between 2000 and 2002, increasing from 21,756 to 82,094, according to the CERT® Centers at Carnegie Mellon University’s Software Engineering Institute, which focuses on ensuring the integrity and survivability of computer networks. An incident may involve one site or possibly thousands of sites. The CERT® Centers also indicate that the number of potential system vulnerabilities has increased by 378 percent, increasing from 1,090 in 2000 to 4,129 in 2002. Possible effects of a cyber attack include denial of service, unauthorized use, loss/misuse of data and loss of public confidence regarding an organization.

The Computer Security Institute (CSI), in cooperation with the Computer Intrusion Squad of the San Francisco Federal Bureau of Investigation (FBI), released the results of its 2003 Computer Crime and Security Survey. More than 250 respondents, which included computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, reported over $200 million in losses. According to CSI, the findings confirm the threat from computer crimes and other information security breaches continues unabated.

“The trends the CSI/FBI survey has highlighted over the years are disturbing,” states Chris Keating, CSI Director. “Cyber crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks.”

The number of intruders grows each day and they are quite different from those of 10 years ago. A hacker does not have to be a sophisticated programmer to be able to harm a computer system. Intruders can use the Internet to educate themselves, and now have access to easy-to-use tools which allow them to do large amounts of damage in short periods of time.

“Intruders could be professional criminals, terrorists, industrial spies, teenagers and perhaps even employees,” emphasizes Spagnuolo.

Cyber-Risk and Homeland Security

Securing the nation’s cyberspace is also a critical element of homeland security, a strategic challenge that requires commitments by both the public and private sectors.

According to the National Strategy to Secure Cyberspace, released by the Bush Administration earlier this year, “Cyber attacks on U.S. information networks can have serious consequences such as disrupting critical operations, causing loss of revenue and intellectual property or loss of life…There is no special technology that can make an enterprise completely secure. No matter how much money companies spend on cybersecurity, they may not be able to prevent disruptions caused by organized attackers. Some businesses whose products or services directly or indirectly impact the economy or the health, welfare or safety of the public have begun to use cyber-risk insurance programs as a means of transferring risk and providing for business continuity.”

“The insurance industry can play a pivotal role in securing cyberspace by creating risk-transfer mechanisms, working with the government to increase corporate awareness of cyber-risks and collaborating with leaders in the technology industry to promote best practices for network security,” says Richard Clarke, former chairman of the President’s Critical Infrastructure Protection Board.

By writing policies for network security exposures, the insurance industry is providing:

  • Vital risk transfer for network security exposures;
  • Incentives for network security best practices, including lower insurance premiums; and
  • Improved cyber-risk management and education.

Coverage

“Traditional insurance policies such as standard property and commercial general liability insurance do not adequately deal with the risks of a cyber attack or network security failure,” cautions Spagnuolo.

Specialized cyber-risk coverage is available primarily as a stand-alone policy. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved. Both first- and third-party coverages are available, including:

  • Loss/Corruption of Data – covers damage to or destruction of valuable information assets as a result of viruses, malicious code and Trojan horses.
  • Business Interruption – covers loss of business income as a result of an attack on a company’s network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expense, forensic expenses and dependent business interruption.
  • Liability – covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of:
    • Breach of privacy due to theft of data (such as credit cards, financial or health related data),
    • Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties,
    • Failure of security which causes network systems to be unavailable to third parties,
    • Rendering of Internet Professional Services, and
    • Allegations of copyright or trademark infringement, libel, slander, defamation or other “media” activities in the company’s web site.
  • Cyber Extortion – covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
  • Public Relations – covers those public relations costs associated with a cyber attack and restoring of public confidence.
  • Criminal Rewards – covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of the cyber-criminal who attacked the company’s computer systems.
  • Cyber-Terrorism – covers those terrorist acts covered by the Terrorism Risk Insurance Act of 2002 and, in some cases, may be further extended to terrorist acts beyond those contemplated in the Act.
  • Identity Theft – provides access to an identity theft call center in the event of stolen customer or employee personal information.

Depending on the policy, coverage can apply to both internally as well as externally launched attacks as well as viruses which are specifically targeted against the insured or widely distributed across the Internet. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corporations desiring comprehensive coverage.

Risk Prevention Services

As part of the application process, some carriers offer an on-line and/or on-site security assessment free of charge regardless of whether the applicant purchases the insurance. This is helpful to the underwriting process and also provides extremely valuable analysis/information to the company’s chief technology officer, risk manager and other senior executives.

The Market

“Thousands of policies have been written for cyber coverage since the late 1990s,” according to Robert Hartwig, chief economist for the Insurance Information Institute. “Policies written for cyber insurance are likely to reach $2 to $3 billion within the next four to five years as companies recognize existing gaps in their coverage.”

Recent legislation and regulation such as the Gramm-Leach-Bliley Act (GLB), Health Insurance Portability and Accountability Act (HIPAA) and California’s Security Breach Information Act (SB 1386), effective 7/1/2003, are also expected to substantially increase potential legal liabilities in this area, increasing the need and demand for cyber-risk insurance coverage.

The Insurance Information Institute is a nonprofit organization recognized by the media, government agencies, regulators, universities and the public as a primary source of information, analysis and referral concerning insurance.

(http://www.iii.org or http://www.insurance.info)