THE CYBER RISK: protecting non-property losses

The proliferation of the mainframe computer a generation ago created new exposures for businesses. Insurance policies at the time were unable to keep pace with change, and as a result, the first electronic computer crime policy was developed 25 years ago to handle those new exposures.

Back then, computer systems were big and bulky, and were only accessible onsite. Underwriters and risk managers were concerned about physical intruders to a company’s computer operations and employees who tried to sabotage systems or compromise security. Providing insurance coverage for these risks was fairly straightforward. Today, however, sophisticated information technology systems are web-enabled, fully networked and are accessible 24 hours a day. Since intranets, extranets and the Internet move across public infrastructure and utilities, virtually anyone with a web browser can access sensitive information or leave behind one of 60,000 havoc-wreaking viruses. Underwriters and risk managers are now more worried by the exponential number of threats against IT systems emanating from beyond a company’s four walls.

Gaps in coverage

Over the years, as technology advanced, computer crime policies failed to keep pace, even as more and more new risks emerged. The result has been glaring gaps in computer crime coverage. Because financial institutions are among the greatest users of technology and on the leading edge of e-commerce, they have become particularly vulnerable to computer crime, and as a result, vulnerable also to the gaps in insurance coverage designed to offset the risk of loss. Overall, PricewaterhouseCoopers recently estimated that worldwide computer viruses and hackers cost businesses about US$1.5 trillion in 2000.

Looking the other way

The other side of this equation is the readiness or willingness of companies to confront the problem of cyber crime. Recent statistics indicate business has a long way to go. A study by management consultants KPMG called “e.fr@ud.survey 2000″ found that while the vast majority of Canadian businesses viewed online security as the biggest threat to their e-commerce operation, 89% believed their e-commerce system was less a target for fraud than those of other firms.

“Canadian companies remain dangerously complacent when it comes to issues related to e-commerce fraud and security, despite the growing number of attacks on the Internet and on e-commerce sites around the world,” Norman Inkster, president of KPMG Investigation and Security Inc., said when the study was released. “The reality is that all companies will one day be a target for e-fraud and should be taking precautionary measures now.”

But even the greatest security measures cannot completely stop or prevent computer crime. Thus the risks, particularly for financial institutions, will remain serious and companies will require a strong insurance program to offset those risks. Most traditional insurance policies used to cover computer and technology crime today – fidelity bonds, electronic computer crime policies and property policies – fall well short of the mark.

Fidelity bonds provide coverage for the unlawful taking of property such as money and securities by either an employee or third party, but in today’s fully networked environment, losses can be easily sustained without property being physically removed or taken. With readily available technology, people can easily copy, duplicate or simply view confidential information, creating a loss without physically taking, removing or altering that information. Fidelity bonds exclude loss of confidential or proprietary information like confidential customer information – a glaring gap especially given the emergence of identity theft as a major exposure for financial institutions.

Moreover, fidelity bonds have never responded to consequential loss such as business income loss or extra expense – liabilities that would arise, for example, if a computer hacker caused a system shutdown or slowdown. In addition, fidelity bonds do not provide coverage for fraudulent use of digital signatures, the emerging use of which for online loan origination creates a new set of exposures for Canadian financial institutions with U.S. branches or operating subsidiaries.

Excluding outside risks

The second method commonly used to insure against computer crime is the computer crime policy. Existing computer crime policies address risks such as the physical introduction of a virus into a system, but they have been built around the threat from an external hacker who gets inside the “four walls” of a proprietary critical infrastructure, or who physically inserts a virus into the system. The focus of security here is on who has access or who is granted access to the computer room. But a loss resulting from someone – like an employee or customer or other third party – who exceeds his or her authorization to have access to system is not covered. As with fidelity bonds, electronic computer crime policies specifically exclude loss of confidential material or data.

Finally, traditional property policies offer little protection against electronic events. Coverage may be found for losses caused by viruses, depending on the property contract, while theft of tangible electronic data processing media is covered. However, in the cyber world, the physical taking of property is a small portion of the exposure. Indeed, data does not have to be physically removed to cause a loss. Copying or merely seeing data can result in a loss.

Property policies also do not provide coverage for the theft of money and securities, clearly a major area of concern for financial institutions. As with fidelity bonds and computer crime policies, property policies do not cover the loss of confidential information. Furthermore, business interruption and extra expense coverages are only triggered by direct physical loss or damage to tangible property.

Taking up the gap

The gaps in traditional policies are clear and striking. Fortunately, the insurance industry is beginning to respond to these gaps in traditional coverage and the increased likelihood of losses resulting from computer crime. State-of-the-art policies combine insurance for direct loss, legal liability and consequential loss. These policies address losses resulting from identity theft, electronic theft, system intrusion, unauthorized access, denial of service attacks and sabotage or vandalism – not only from outsiders but also disgruntled employees, who, some believe, are responsible for as much as 80% of losses.

In some cases, policies are being introduced to address the specific needs of different customers. In the case of financial institutions, research shows that risk managers want a policy that responds to:

compensatory damages if their institution is found liable for the theft of confidential customer information (including identity theft);

denial or impairment of e-service, including the loss of business income and extra expenses incurred during the period of recovery such as the cost of hiring a public relations consultant to mitigate reputation damages;

losses involving fraudulent e-mail;

acts of e-vandalism, including when employees damage or destroy data; and

extortion threats, even if they are not carried out, including the expenses of hiring independent negotiators or public relations consultants.

In addition to reviewing the insuring clauses, risk managers should look carefully at the definitions found in the policy, since they can affect the breadth of coverage. So the policy does not become obsolete given the fast-paced rate of technological development, it must address emerging technologies. The definitions also should be broad enough to encompass the increasingly common outsourcing of Web services and use of third-party Internet service providers to host data on systems that are not proprietary to the insured.

Currently, only a limited number of insurers are providing such broad coverage. Most of these insurers have had a long history in insuring both technology innovators and so
phisticated technology users such as financial institutions. As more underwriters get a better sense of the exposures, risk managers can expect to see other insurers providing cyber insurance – which will become an indispensable part of a risk management program.

30 www.canadianunderwriter.ca CANADIAN UNDERWRITER / APRIL 2001