System Breakdown: shortage of “e-covers”

Electronic commerce is getting a lot of attention. Industry Canada has announced its strategy to make this country a world leader in the adoption and use of electronic commerce.

According to Industry Canada surveys, more than 60% of Canadian businesses already have Internet access and 25% have web-sites. In 1999, the value of Canadian e-commerce was Cdn$11.02 billion, an amount that is expected to grow to over Cdn$151 billion by 2004. After the U.S., Canada is the next most connected country in the world. So far, most of the attention surrounding e-commerce has focused on customer behavior and economic opportunity, with little attention paid to its ramifications, including the implications for insurers.

New opportunities expose business to new risks, and our industry is finally beginning to recognize the need to give this serious thought. Insurers have been advised that all reinsurers will likely exclude some “cyber risks” in catastrophic treaties as of renewal. For most companies, this means no reinsurance protection for such losses unless it has purchased specific protection as of January 1, 2002. Customers rely on brokers and insurers to help identify the financial exposures they are facing, to provide assistance in risk mitigation to reduce exposure, or to secure insurance coverage to protect their financial interests.

As brokers and insurers, we must be more responsive and proactive than we have been to date. We have an opportunity to enhance customer knowledge, protection and satisfaction, and to apply the timeless rule of commerce, impervious to gimmick, novelty and time, “know and please thy customer”.

Exposure paralysis

The catastrophic exposure feared by reinsurers is the potential for a worldwide paralysis of networks and systems as a result of a computer virus or similar event, and the subsequent business losses due to business interruption. In fact, although not a virus related event, a U.S. court decision (American Guarantee v. Ingram Mico) recently found coverage under a business interruption policy when it determined computer down time alone constitutes property damage. This court decision, although generally considered flawed and currently under appeal, combined with the malicious damage coverage contained in most property policies, is of sufficient concern to generate serious discussion and significant action by reinsurers.

Unlike any other catastrophe exposure, there is no geographic spread of risk. If the threat of a worldwide loss is possible, no matter how remote, no one should fault reinsurers for their concern. For individual business owners, e-commerce creates e-risks. It is not just the IT experts, like Internet service providers or high-tech consultants that face financial exposure. While most businesses are still not “virtual companies”, most small to medium businesses now use computers and electronic technology. Vital business information is stored and accessed electronically. Retailers and manufactures use web-sites to advertise, sell or distribute products. Companies operate intranets and extranets, and use wireless technology to conduct B2B or B2C communication. Websites are now easily set up, and the broad acceptance of the use of the World Wide Web means you do not need to be a sophisticated Internet service provider to host a “chat room” or bulletin board to share information on any subject.

Addressing broad needs

Specialized insurance markets are now addressing the “pure e-risk” insurance needs of the high tech industry. However, as brokers and insurers we need to address the more common risks that will face the vast majority of Canadian businesses entering the world of e-commerce.

Traditional insurance products were designed to meet the risks associated with business conducted through “bricks and mortar”, but not the new “bricks and clicks” model of business. As brokers and insurers, we need to move forward with business to understand the scope of risks and the range of insurance products that can respond.

Identifying e-risks

E-commerce operates in a virtual world. Intangible electronic data runs software. Customer profiles (including personal credit information) and product information are stored and communicated electronically. Business operations rely on a network of computers and similar devices that are linked somewhere in “cyber-space”. The economic efficiency gained by relying less on physical infrastructure is an attractive feature of e-business. However, traditional insurance products were designed to address direct physical loss – in other words, current standard policies cover the “bricks” but not the “clicks” of this new business model.

Business owners and risk managers understand that insurance is not the answer to every business risk. Some “cyber events” like loss of data or downtime due to loss of connectivity, are now routine business risks better dealt with by redundant networks, regular back-ups, data integrity checks or other security routines and protocols. At the same time, as insurers we need to better understand the gap between the new virtual business risks and traditional insurance products and close them. While niche markets are available to deal with intellectual property, some intangibles, like a customer database, may represent a valuable business asset to small and mid-size businesses for which innovative insurance products might be developed.

The increased business use of the Internet also means that even small businesses can operate globally by reaching a global audience. While the Internet may not care about users’ geographical locations, lawyers do. A small business may not realize it may be exposed to the same complex inter- and extra-jurisdictional legal problems as faced by the multinationals, but without the same resources. Even if it is possible to pinpoint where a cyberspace loss occurred geographically, insurance policies do not necessarily provide worldwide coverage.

Just as the WWW means businesses may find themselves operating in jurisdictions they’ve never heard of and never intended, the web’s widespread and public availability may mean a business has unwittingly become a broadcaster or publisher depending on how it operates its website. Since standard commercial general liability policy excludes broadcasting or publishing activities, and many insureds may find themselves without cover. Conversely, insurers adding the type of publishing covers that are found in many advertising liability endorsements without asking appropriate questions may be providing coverage that has not been fully considered or priced.

Businesses now commonly understand that they may be responsible for the indiscreet use of the Internet and e-mail by employees. However, a business should consider that in some circumstances its responsibility might extend outside the company. In certain cases, a business hosting an open chat room or bulletin board format may be expected to monitor the information exchange that takes place. From there, it is a very short step to a finding of liability for any libelous or defamatory comments, even if posted by outside users if the business is seen as permitting or failing to promptly remove offending material.

Security landmine

Security, or lack of, on the Internet is another potential landmine. Media and news reports cite a variety of numbers on the incidence of IT security breaches. Although it is probably safe to say that many go unreported, it is not uncommon to read that half or three-quarters of businesses report problems. While the exact scope of security failures is unclear, it is clear that if even the Pentagon or NASA websites can be hacked, no security system is absolute.

Often the reported cases of security failures involve events more embarrassing than financially damaging, but the potential for business loss is enormous. While these security breaches usually do not involve the type of physical loss currently covered by insurance, the extremely high rate of security failures raises serious questions about the insurability of some businesses and e-business losses. At some point
the inability to ensure security is no longer a risk, but a certainty.

The security and integrity of the electronic information being collected and stored is a concern for Canadians. Businesses worry that a lack of public confidence in privacy protection may impede e-commerce. In order to facilitate and support e-commerce, Canada has recently introduced a federal privacy law to regulate the collection and use of personal information. The Personal Information Protection and Electronic Documents Act is being implemented over the next few years and by 2004 will apply to most private sector business. Businesses should become familiar with the definitions and standards for handling personal information that are set out in this act as they will be held to these standards.

It is debatable whether the federal privacy act introduces a new avenue for liability claims or just a new standard of care for the old familiar torts, such as libel or privacy invasion. From an insurer’s point of view, this is something to watch.

Global exposure

The potentially global reach of e-business leads to probably the central issue that should be considered by insurers – that the risk of loss is, potentially, global in scope. The wide spread connectivity of computers creates efficiencies, but it also creates dependencies. A single geographically isolated event may operate like the first knocked down domino, resulting in numerous widespread losses. The potential for catastrophic loss is a problem that has already been identified by the reinsurance community. Restrictive wordings limiting the aggregation of loss for certain cyber events under catastrophic treaties have already appeared in the European market and will likely be introduced in the Canadian market this year. If so, these restrictions will be effective January 1, 2002 – a period of time for which primary insurers have already issued policies. Although similar restrictions are not anticipated on liability treaties, insurers and reinsurers are already struggling with what constitutes a single occurrence when multiple claimants are involved. A lack of concurrent language and coverage between insurance policies and reinsurance treaties may pose a stumbling block in responding to the insurance needs of e-business.

If reinsurers back away from appropriate risk, insurers may have no choice but to do the same. Insurers and reinsurers must work together to ensure we understand and meet the challenges of the new realities of business. The objective in mind must be to take care of the customer so we continue to have customers to take care of.

Current activity

The insurance community has undertaken several initiatives. An important first step is providing information to customers to raise awareness of these issues and the broader risks entailed in e-business. Brokers and customers should expect to see increased communication about e-business risks from a variety of sources, including insurers. Businesses are in the best position to identify and assess specific situations, the risks of e-business activities, and decide how best to manage that risk. The old-fashioned saying about an ounce of prevention seems particularly apt for modern-day e-risk management. Proper security measures, responsible back-up and off-site storage of data, limiting website access and other controls are in most cases effective means to manage risk.

Where insurance is an appropriate solution, understanding its risk exposure helps businesses identify insurance needs. As technological losses are generally not covered under standard insurance policies, brokers and their clients will need to identify where coverage is missing. An industry committee is currently working to clarify some of the existing covers to provide necessary information to brokers and customers and more clearly identify gaps between coverage and the new e-risks.

As part of the process of clarifying the scope of existing covers, individual insurers are beginning to identify and assess exposures that may be insurable. E-business provides an opportunity for insurers to develop new products and refocus underwriting. The greater scope of liabilities introduced by the Internet underscores the need for insurers to understand who and what they are insuring.

Risks and exposures will change as fast as technology. Insurance coverage must evolve along with business to respond to these changes. We must identify, quantify, and manage these risks. Insurers can not walk away from satisfying the true insurance needs of their customers or their customers will simply walk away from them. On the other hand, insurers must not proceed blindly applying old solutions to new problems.