CYBER-EXPOSURE a risky business

Corporate takeovers. Plummeting stock prices. Falling profits. These used to be the primary fears of the corporate world. Today, enemy number one could be a fourteen-year-old sitting in front of a home computer with the power to bring business to a halt with the click of a button. Technology is dominating the way the world conducts business, and with this dependence comes the risk of major losses, both financial and in terms of credibility, when that technology is compromised. And the threats are everywhere, including hackers, restraints on intellectual property and advertising online, email abuse and even contract disputes with technology vendors. The opportunities of e-business are fast becoming the number one challenge for corporate risk managers.

Last year the world’s largest Internet-based companies, from Yahoo to Amazon, and ostensibly the most secure public organizations, including the White House and the CIA, found themselves the victims of hacker attacks that revealed just how vulnerable their supposedly airtight security systems are. And much of the hacking was traced back to teenagers with too much time on their hands and relatively rudimentary computer equipment

It is enough to make any corporate risk manager want to crawl into bed and pull the covers over your head. The profession is just now coming to grips with the new dangers brought on by increased Internet use and the growth of e-commerce. Whether these are high-tech companies, or bricks and mortar corporations dealing with Internet platforms as basic as employee email use, technology has become a frightening proposition.

Insurers are also struggling along a learning curve, inventing new covers and seeing the limits of existing policies tested in the light of emerging risks. A drought in comprehensive Internet covers is forcing companies to look at Band-aid solutions, combining commercial general liability (CGL) policies with any variety of add-ons, and facing new exclusions at the same time. To be fair to insurers, with a lack of underwriting history for Internet losses, whether they are the result of lawsuits or hack attacks, there is general confusion about how these policies should be valued. There may be as much fear among insurers about this brave new world as there is among insurance buyers. It is risky business on both sides of the fence.

At a recent Institute for International Research seminar on “Cyberexposure”, experts warned that as the risks grow, both risk managers and the insurance industry are going to have to respond with better coverage and better risk control processes.

Virus vulnerability

Last year’s “I Love You” virus was just one more in a line-up that has shown just how easily hackers can attack even the most high-profile organizations. While estimates of damage from I Love You range in the billions of dollars, what may be more significant is the ease and speed with which the virus spread, and its success in “gumming up” the computer systems it attacked. The downside of increased Internet access, a trend in which Canada leads the world on a per capita basis, is that it is largely a growth in untrained users, using email, where viruses are so quickly spread.

Viruses are also spreading more quickly because of the rise of “co-opetition”, notes Robert Parisi, chief underwriting officer of global e-business solutions for AIG Group . Software renting through application service providers, outsourcing of data collection and management and worldwide Internet-based connections such as Interac, make companies more vulnerable to virus spread, and makes losses even greater when systems are shut down.

With companies such as NASA, the White House and the CIA being hacked, who isn’t vulnerable, asks Geoffrey Haddock, senior account executive at Potruff & Smith Insurance Brokers. And the losses can be huge. A new trend, Haddock observes, is toward delay of service (DOS) attacks. These were aimed at a variety of Internet retailers, including Amazon, last year and resulted in billions of dollars of lost revenue as consumers became frustrated with waiting to access this “high-speed” form of shopping and left the sites.

In a recent U.S. poll conducted by the FBI and the Computer Security Institute, 90% of companies reported security breaches in the year prior, with respondents coming largely from major corporations and government agencies. Hackers are not targeting “mom and pop” sites, notes Parisi, they are going for the Internet giants. “These are not start-up companies that forgot to put up the firewall”, they are supposedly secure sites bringing in millions of dollars of revenue being compromised. The study also discovered that 95% of people engaged in Internet use who had anti-virus software still had a virus of some kind in their system.

New properties

A second emerging area of cyber-risk is its intersection with intellectual property (IP) claims. With the growth of new technology, patent offices have become overwhelmed and conflicts over who “owns” new software and systems are becoming common, says Jennifer Soper, head of technical underwriting for St. Paul Canada. Patent is also the most expensive of all IP claims to defend, she notes.

Haddock agrees that companies with have to deal with the IP issue, not just in terms of damages, but also looking at defense coverage for lawsuits, as these types of conflicts rise in number. Another growth area for IP claims will be advertising/trademark infringement on websites, especially those that have links to other sites, he predicts.

Errors and omissions claims resulting from contract disputes between technology providers and their customers is the highest growing new claim area, says Andrew Steen, Canadian underwriting manager for Chubb’s technology insurance group. At Chubb “we’ve seen more e&o claims in the last 18 months than we’ve seen combined in the last 18 years”. Cost is also a huge factor, he says, in that the average technology claim used that used to be $25,000 is now rarely under $1 million. And contract disputes will continue to rise, he predicts, because of the competitive nature of the high-tech market and the need for providers to go out on a limb to get customers. Companies will be promised miracle solutions that providers just can’t supply. These solutions are also becoming “mission critical” to companies, and have gone from “nice to have to need to have”.

New legislation

As federal and provincial politicians rush to implement new legislation to deal with the Internet boom, companies are finding both opportunities for growth and opportunities for disaster in the new rules. New federal privacy legislation is going to affect all companies, and this includes insurers, who will have to look at the effect on both their own operations and those of their clients. With the new accessibility afforded by the Internet, come new potential uses and abuses of information, and the increased potential for personal information to be compromised.

In fact, part of the logic behind the creation of the legislation were global e-commerce laws which suggest that countries could be excluded from the international data flow is they do not have strict laws in place, explains Nancy Carroll, a partner at law firm McCarthy Tetrault.

As well, new legislation to give validity to electronic signatures and encourage e-commerce transactions may present special problems. The threat of signature modification or forgery of e-signatures will be a challenge for companies, says Alfred Diezi, senior legal claims counsel for Swiss Re. “We will have to wrestle with this new freedom.” Encryption will resolve many of the concerns over e-signature security, he predicts, and will create electronic contracts that are enforceable in court.

However, there are as many questions as answers in what will constitute a valid signature in the Canadian legislation at the moment. Until these questions, and potential differences between international standards, are resolved, the waters are murky for companies doing big business online.

Lack of response

It seems obvious, given the rise in ris
ks associated with technology, and the Internet in particular, that insurers would be more than happy to step in and take advantage of this new market. Following the DOS attacks of last year, the demand for new covers rose sharply, notes David O’Neill, vice president of e-business solutions for Zurich Financial.

Haddock admits he thought “we would see a whole bunch of new products by the first of the new year…but this didn’t happen”. Companies have been slow to respond to this need, agrees fellow Potruff & Smith account executive Ben Malik. Companies have been “slow to develop new products… they seem to be taking a ‘wait and see’ attitude”.

Internet policies are “still the domain of specialty insurers and large, technology-savvy companies”, Haddock says.

Part of the problem is that many companies are still unsure of what aspects of Internet and other high-tech risks are already covered under existing policies. Following the “Melissa” virus, a survey of insurers revealed that most did not know if their existing policies would respond to such a virus or not, Haddock notes. The whole “derangement of physical property” aspect of policies has become a conundrum for insurers, who are having trouble equating the largely financial losses associated with cyber-risks with physical risks in CGL policies.

CGL coverage is “generally pretty open” unless specific exceptions are in place, says Carroll. But insurance customers will be looking not just for CGL coverage, but also directors and officers (d&o) coverage, and in some cases e&o coverage in the event of a hack that violates privacy laws, for example. With the new legislation, “we are just in the developmental stage” of figuring out what is and is not covered by existing policies, she explains.

Brokers need to go to their CGL carriers and ask them what cyber-risks are and are not covered, suggests O’Neill. They also need to look at potential conflicts or gaps between CGL policies and e-commerce policies, and if those policies are handled by different companies, who will be responsible for areas of overlap. Commercial clients will also have to understand that in some cases another solution may have to be sought for specific risks, “because there is some business risk that is just not insurable”.

Explaining e-coverage will be no easy task, the experts predict. One problem is that many companies have an “it won’t happen to me attitude” about cyber-risks, says O’Neill. “You have to keep whacking away at those companies and show them what’s happening in the marketplace.” Other companies are taking the risks very seriously, and have a high level of fear and misunderstanding. It will be up to the insurance industry to educate consumers about new products and existing covers. “We do not communicate insurance coverages well” because of their technical, complex nature, Haddock believes. This problem is exacerbated by the addition of high-tech issues.

But with no way to predict future problems in the cyber-world, it is essential that corporate clients are advised to take these risks seriously. “This is true catastrophic coverage,” says O’Neill. “This isn’t a slush fund for [a client’s] e-commerce platform.”

What is available

There are a variety of ways to cover cyber-risks, notes Soper. These include e&o, separate e-commerce policies, Internet media policies and a variety of inclusions and exclusions to existing commercial policies. Brokers may be looking at manuscript versus endorsement (add-on) policies, and this decision may depend on the level of coverage needed, the level of security in place and what clients are willing to spend, observes Haddock.

But the insurance industry needs to start looking right now at what is covered and how the gaps can be filled. Haddock suggests “fixed cost” add-on policies may be the answer to filling gaps. It is better to ensure that clients are covered before more incidents occur than to leave it up to the courts to decide what is covered by existing commercial policies, he says.

Clients may object to paying more for add-on coverage, or balk at exclusions in their existing coverage. But, in the event of a disaster, Steen notes, “there are three words the client doesn’t want to hear, ‘it’s not covered’.” It will be up to insurers to get on the ball and decide where they are going to take e-commerce coverage, either through new covers, exclusions or add-ons, says Parisi. “We [insurers] are going to live or die by our own actions.”

Underwriting headache

Some insurer reluctance to jump into the cyber-risks market may be due to the difficulty in quantifying the risks involved, experts suggest. “How do you keep an actuarial soundness to the process?” asks O’Neill. With no historical data to rely on, “you have to make a lot of assumptions…pricing sometimes seems like a to z, in the extremes”. And insurers are more likely to look at covers for some industries than others, based on background knowledge of certain business.

One issue is that no one wants to talk about being hacked, and just how bad their losses were as a result. Companies do not want to discuss the nature of their claims for fear of revealing company secrets and security flaws, O’Neill says. There is “not a lot of knowledge out there on which to base [underwriting] decisions”.

“Actuaries like to drive by looking in the rearview mirror…but there’s no track record for this,” Parisi adds. “There’s no way to price this.” Insurers argue that companies with a web presence are in the business of publishing or broadcasting, excluding this activity from CGL coverage, he adds. Their case is that this kind of activity presents a completely different underwriting process than other corporate business, and there are not the same kind of controls in place to keep Internet companies in line as there are with other kinds of advertising.

Another issue is the difficulty in understanding losses in the cyber world. Most hackers don’t “steal” property or even damage it, they usually copy the information, Parisi points out. And most websites don’t “make money”, they are information/service oriented and do not conform to traditional ideas of loss revenue coverage.

Preventive medicine

If companies can not count on the insurance industry to address all of their cyber-risk needs, whether because of a drought in available products or because of a need to control risks and spend less on insurance, they are going to have to educate themselves in this new electronic world.

The needs created by the borderless, non-stop world of e-commerce dictate a higher level of attention. “You’re no longer safe with a simple property policy and CGL policy, or even an e&o policy,” says Parisi. “You need 24/7 service, because that’s when you’ll need loss prevention and emergency services [in the event of a problem].” Hackers and viruses do not work on a 9-to-5 basis and companies will need to set up round-the-clock response efforts in the event of a hit.

Steen argues that companies need to have set procedures in place to respond when a complaint or error occurs, before they end up in court or paying out money to disgruntled third parties. Websites in particular, he maintains, need to have a complaint mechanism in place. And companies need to keep strict records of any incidents, whether resulting in a claim or not, not only to promote a remedy for any problems, but also to offer as proof that the company is dealing with concerns in a good faith manner.

Companies need to look seriously at their security and privacy procedures in place with regards to online activity. O’Neill says that limiting access to the company website is much like limiting the number of keys given out for your building. Privacy audits, especially for new websites, should be encouraged, Carroll adds.

And while insurers will likely be offering more products to answer e-risk needs, Parisi suggests companies should be looking right now at how they can control these risks on a “minute-by-minute” basis. “Right now, it’s catastrophe coverage…that’s not good business.” Corporations should have the proper security and risk control procedures i
n place before they start buying insurance, and even before they have their e-commerce platforms in place. “You wouldn’t move in to a building before the sprinklers and fire alarms are installed.”