Managing web exposures

With e-commerce widely predicted to explode into the mainstream world of business in coming years, the lure of “getting into the ‘net game” before it becomes too late is almost irresistible for most companies. In particular, the Internet is expected to play a critical future role in the selling and shaping of financial service products, from banking through to insurance. However, assuming that Internet transacting and exchange of information will become prevalent in business society, the issue which risk managers will soon have to address is identifying and managing their web exposures.

As we move towards the close of the century, insurers, reinsurers, risk managers, brokers and their respective business partners are increasingly reliant on technology for transacting business together. It was not so long ago that most commercial entities relied on paper or a handshake to transact business. Now increasingly the “deal” is consummated without necessarily leaving the office or meeting the other party to the bargain.

The twentieth century has witnessed the transformation of the way in which we do business from virtually fountain pens and manual typewriters to Internet web-based transactions known as e-commerce. This development has wonderful potential for increased efficiency, reduced paper waste and hopefully a reduction in the attendant cost of doing business. Hence, in the insurance industry, the broker can, with appropriate technology and authority, issue a policy or receive an application “on line” or tender a manuscript wording to the market for quotes, all without leaving the comfort of his or her office.

What then of the consequences for risk management in this emerging business environment? Some might ask “What risk?” The answer is multi-faceted and requires diligent attention from the insurance industry both for the insurer that issues a property or casualty policy and for the purchasers and sellers of that product. Reinsurers also have an interest to the extent that they rely on the underlying wording to assess risk to their portfolio.

“Is there coverage for “damage”

caused by a “virus” received through

e-mail enclosures or by hackers?”

Consider the offerings on a website of the fictitious ABC Co. Has the underwriter considered that the website has the advertising power of traditional print, audio and television media? Has the risk manager assessed the sufficiency of the liability wording for advertising injury, if ABC Co. has even purchased such coverage? If ABC Co. deliberately or inadvertently “publishes” a work which is defamatory of a competitor’s product, there is a risk of being successfully sued. Or consider that ABC Co. uses without authorisation the likeness or image of a person in its web-based advertising and promotions. Is there coverage under traditional insurance policies for this type of risk? Suppose ABC Co. (or its website service provider) has a fire on its premises and damage includes irreparable harm to the server or other hardware and associated software through which the website is maintained and administered. Is there coverage under an existing property form to offset the cost of restoring or replacing the various components to achieve their previous operability? Is there coverage for “damage” caused by a “virus” received through e-mail enclosures or by “hackers” who breach the website sophisticated but still vulnerable security “firewall”? Consider a simple theft incident. Can ABC Co. (or its website service provider) recover, in addition to the value of the obvious hardware and software lost, the value of the information taken and the cost to replace it?

Some will quite rightly point out that there are policies designed to cover such losses. In the third party or liability realm, the defamation and misappropriation of identity claims may fall within the scope of a “personal injury” or “advertising injury” coverage under a garden-variety commercial general liability policy.

Wordings need to be examined closely, however, as such policies, although similar, are not identical in the industry. In the first party realm, there are Electronic Data Processing (EDP) and lost media coverage endorsements available in the market. Some risk managers, underwriters and brokers will now be looking at their policy portfolios with renewed vigour and interest. Many will not have guessed at the potential risk associated with web-based commerce.

Dealing just with the liability side of the equation, consider that the parameters of what might otherwise be considered simple local advertising have been expanded to include anyone with internet access and a web browser. Consider that websites are capable of recording the number of “hits” on a given day and that any damage award might well take into account both the number of hits received and the volume of sales achieved during that time frame. Consider the implications for ABC Co. if the defamed party or owner of the misappropriated image resides south of the border. This is no longer simply a local or even national exposure. The value of “world wide coverage” takes on new significance — yes, you should check your “territory” clause, your currency clause and your limits.

In the property context, the EDP endorsements available do vary. The endorsement may cover as little as the replacement cost of the media upon which the data was stored. On the other hand, it may be so generous as to pay for the actual cost of hiring people to reprogram or enter the data within a given policy limit. If ABC Co. does not have such a policy, will the claim fit under the wording it may have in its loss of contents, stock and equipment form? Without checking the wording including the defined terms, ABC Co.’s risk manager, insurer and broker will be guessing — not a good position to be in when the claim is being administered.

Of course, the message to risk managers is simple: Check your existing wordings for liability and property coverage carefully. Apart from this, the broader analysis suggests that ABC Co. should review its website content with qualified legal counsel to address any liability concerns before rather than after the material has been “posted”.

Some serious thought should also be given to a timely “back up” system to ensure that the value of the website is not unduly vulnerable. This might include having a back up service provider on retainer or vaulted tape/CD ROM records stored off site and updated on a regular business cycle. Virus detection and prevention software is a must in the electronic age and regular updating is the only reasonable measure to provide protection.

Since ABC Co.’s website cannot be “seen” except on the computer screen, the “out of sight, out of mind” philosophy must be guarded against. This is also true on the underwriting side and from the broker’s perspective. Sufficient coverage can only be arranged if the right questions have been asked of the client.

Making assumptions about current wording can be costly for all parties to the bargain. Clarifying these issues in advance will help to ensure that any future claims experience is accounted for in the risk management plan. This should result in a favourable premium and hopefully little or no claims experience — a reward for good risk management practices.