Voice-over Risk

Many businesses in Canada and throughout the world are increasingly abandoning the traditional landline for Voice-over-Internet-Protocol or VoIP. A recent survey found close to one-third of businesses are now using VoIP and that number is expected to be nearly 90% by 2013.

VoIP is an emerging risk that should be top of mind to risk managers since the phone line now opens the office door to additional cyber risks such as hackers, spam and eavesdropping. A May 2010 report by Emerson Development LLC, VoIP Security Review: Insurance, outlines serious, pervasive and unavoidable cyber-security risks associated with VoIP. The Emerson report predicts VoIP will raise insurance rates for users due to extensive flaws that enable hacker attacks.

VoIP

VoIP phones offer an optimal means of communicating, considering quality and cost. They can save businesses up to 80% on their phone bills regardless of company size. Enterprises are moving toward VoIP in corporate networks to enjoy bandwidth efficiency and flexibility benefits including:

• substantial cost savings by using the Internet to bypass long distance tolls;

• the implementation of advance applications such as unified messaging (voice/data/facsimile/ voice-messaging/email/Web conferences/ etc); and

• improving employee collaboration and productivity.

Some VoIP providers such as Skype want to add voice and video call capability to more devices (think Research in Motion’s BlackBerry), making communication ubiquitous. Vonage, Net2Phone, AT&T and others are introducing new features –and related new exposures — on a monthly basis. Acquisitions in the VoIP space are becoming common. Google purchased Gizmo5 for $30 million to improve Google Voice and made an offer to buy Global IP Solutions for $68.2 million to enhance technology.

21ST CENTURY EXPOSURES

With VoIP, all calls are subject to the limitations of normal computer issues. More than 90% of all VoIP solutions providers operate on unsecure lines or platforms, whether free or charging for services. Calls placed on unsecure lines travel from one computer, over the Internet, to another computer; they have little or no protection to guard against terminal viruses, Trojan horses, unscrupulous hackers or uninvited guests listen- ing in on private conversations. These unsecure lines leave users dangerously vulnerable to the inevitable and expensive computer crash that forebodingly looms on the horizon. Additional challenges include:

Quality of service

By default, IP routers handle traffic on a first-come, first-served basis, so there could be delays in transmitting VoIP communications. Phone conversations can become distorted, garbled or lost because of transmission errors.

Susceptibility to power failure

Traditional analog telephone service is usually connected directly to telephone company lines independent of local power. With VoIP, no power means no phone service.

Emergency calls

Unlike traditional phone lines, it is often difficult to locate VoIP users geographically.

Redundancy

With separate Internet and phone lines, it is less likely that both systems will malfunction simultaneously.

Integration with traditional phone systems

Technical challenges remain, depending upon the type of legacy phone system (digital video recorders, digital subscription TV services and home security systems all use a standard phone line to do their thing). Currently, there is no way to integrate these products with VoIP.

Security

VoIP is vulnerable to unique risks related to voice communications such as eavesdropping on and recording of phone calls, or redirecting calls to an imposter organization (e. g., a hacker instead of a bank). As VoIP becomes more prevalent, it will become increasingly attractive to those with malicious intent. Therefore, it will be progressively more vulnerable to hostile acts such as spying/espionage, hacking, intrusion, interruption of service and identity and intellectual property theft.

Regulatory authority

Laws applicable to traditional phone lines have not all been applied to VoIP. There remains ambiguity, especially outside North America.

RISK MITIGATION AND INSURANCE

The Emerson report predicts VoIP will increase insurance rates for users. How ever, insurance carriers have not (yet) raised rates solely because an insured elects to implement VoIP. Insurance carriers conduct underwriter due diligence to determine whether an insured’s information technology security has implemented industry best practices — VoIP or otherwise.

For instance, VoIP developers are working on VoIP encryption to counter the bad guys. Calls placed on secure lines go through a VoIP platform (server) that incorporates its own security (including patented technology) against the ills of unsecure lines, thereby offering maximum security, privacy and peace of mind for its users. Contact your VoIP solutions provider and request written information regarding security of their service, along with patented technology they own or license. Risk managers should ask their VoIP provider if their service hosts embedded spyware on lines and/or allows public access to names and numbers of subscribers. The National Institute of Standards and Technology has published Security Considerations for Voice Over IP Systems1, which lists recommendations. Risk mitigation includes the following best practices:

Awareness

Educate your employees about what information should or should not be disclosed to third parties over the phone. Devise policies and awareness programs concerning appropriate usage and dangers of common vulnerabilities such as phishing.

Prevention

Ask your VoIP provider if it has had a vulnerability assessment done by a certified third-party entity. Incorporate in your service agreement that your VoIP provider must provide you with the results of such assessment on an annual basis.

Protection

Engage your IT security expert to request contractual representations from your VoIP provider. Such representations would relate to perimeter and internal security devices and hosted-based applications that protect your network — e.g. VoIP network intrusion prevention/detection systems, denial of service attack defenses, authentication, authorization and accounting servers, encryption engines and antivirus software.

Mitigation

A combination of human intervention and security management tools are being developed to mitigate the impact of hacker attacks. This aspect must evolve as security evolves to address new exposures.

CONTRACTUAL REQUIREMENTS

Once VoIP users have conducted due diligence regarding their providers, risk managers should include contractual insurance requirements in the service provider agreement. The contract should specifically request insurance coverage for all aspects of the service contract, including:

• a service level agreement guaranteeing uptime without degradation (failure to meet the agreed-upon service levels should result in remuneration to the user); and

• privacy and security/cyberliability coverage to address defense costs and indemnity for any losses or expenses incurred by the VoIP user due to security lapses of the VoIP system.

An example of the above might read as follows below:

“INSURANCE. VoIP Vendor warrants that it will maintain sufficient insurance coverage to enable it to meet its obligations created by this Agreement and by law.

“Without limiting the foregoing, VoIP Vendor will maintain (and shall cause each of its agents, independent contractors and subcontractors performing any services hereunder to maintain) at its sole cost and expense at least the following insurance covering its obligations under this Agreement. “Professional Liabil
ity Insurance with a combined single limit of not less than xx Million Dollars ($xx, 000,000) per occurrence. Such insurance shall cover any and all errors, omissions, or negligent acts in the delivery of products and services under this VoIP Vendor Agreement. Such errors and omissions insurance shall include coverage for claims and losses with respect to network risks (such as data breaches, unauthorized access/use, ID theft, invasion of privacy, damage/ loss/theft of data, degradation, downtime, etc.) and intellectual property infringement, such as copyrights, trademarks, service marks and trade dress.

“The retroactive coverage date shall be no later than the Effective Date.

“VoIP Vendor shall maintain an extended reporting period providing that claims first made and reported to the insurance company within two (2) years after termination of the Agreement will be deemed to have been made during the policy period.” 1

1 -In providing this sample language, Aon is not providing and cannot provide legal advice or a legal opinion concerning whether the insurance program satisfies insurance provisions in a VoIP contract. This sample should not be relied upon by you or a third party for any legal purpose. Aon does not provide an opinion as to whether an insurance program covers any legal obligations contained in VoIP or other contracts. All descriptions of insurance coverages are subject to the terms, conditions, exclusions and other provisions of the policies or any applicable regulations, rating rules or plans. Suggested additional or alternative wordings in any VoIP contract that we may recommend should be ratified by your legal advisor before being adopted.