http://seattletimes.nwsource.com/html/businesstechnology/134502269_cyberinsurance29.html By Nancy Gohring Seattle Times business reporter July 29, 2002 In February 2000, online hackers launched what's known as a "denial of service" attack, shutting down eBay, Amazon.com, CNN.com and other major Web sites for as long as three hours. By some estimates, the event cost the companies $1.2 billion. Traditionally, such attacks haven't been covered by insurance. In industry lingo, the companies were "self-insured," meaning they were responsible for their own losses. But as online attacks and viruses continue to wreak havoc - and at a time when security is increasingly a top-of-mind concern - insurers, technology companies and the federal government are working toward a solution to protect companies from losses. The idea that has emerged is being called cyberinsurance, and it covers almost anything related to information technology, including losses resulting from viruses, hacker or denial of service attacks, extortion, and copyright and privacy infringement. So far, some insurers are including coverage for basic problems in their general liability offerings, but most are asking customers who want significant coverage to pay for separate packages. High-tech companies are the most likely to buy cyberinsurance in case their services or products fail their customers. But the insurance industry wants all companies with any sort of Internet connection to take out cyberinsurance, and the federal government is particularly hopeful that companies in industries traditionally considered utilities will buy it. In fact, the insurance industry predicts that cyberinsurance will be a $2.5 billion market in 2005, according to the Insurance Information Institute. In the meantime, insurers are experimenting with how to offer it, while struggling to persuade companies to buy it. It's not clear at this point how many companies have signed up for cyberinsurance. American International Group, a known name in the field, has issued more than 2,000 policies, but if you ask companies about cyberinsurance, many will say they've never heard of it. Those companies may be some of the same that have experienced losses resulting from security failures. The Computer Security Institute and the FBI's Computer Intrusion Squad in San Francisco found 90 percent of companies surveyed recently had detected security breaches in the past year, though only half of them were able and willing to quantify their losses - about $455 million in the past year. Third-party coverage As a practice, few companies buy insurance to cover losses they may incur when internal systems fail. Instead, they more commonly buy third-party cyberinsurance, which protects against damage to customers or someone other than the company. "People buy insurance for things outside of their control that are catastrophic in nature, like being sued," said Ned Sander, managing director for the Seattle office of AH&T Technology Brokers, an insurance broker serving small and medium-size technology businesses in Seattle. An example is Amaze Entertainment, an AH&T customer and Seattle company that develops electronic games for publishers such as Electronic Arts. When it comes to insurance, Amaze negotiates with its publisher-customers whether to insure its products. "We'll say that we'll buy it if you want it, but you'll pay more for the project," said Mike Dean, director of finance with Amaze. Such insurance would cover losses to Amaze's customers in case, for example, the customer sells Amaze software to end users and the software is faulty. If Amaze's customer had to recall the product and offer refunds, insurance would cover the losses. But when companies look at first-party insurance, which would pay for loss to the company itself, they tend to pass. "A lot of times these IT guys say if I buy a policy it admits I'm not doing my job well enough," Sander said. Amaze hasn't invested in first-party cyberinsurance. "We're not worried about our systems crashing," said Dean. Complicated applications Companies also shy from first-party insurance because it can be complicated to buy. Insurance companies usually require an in-depth evaluation of the potential customer's systems - sometimes at a cost to the customer - as well as a lengthy, complicated set of forms. Some companies decide against first-party insurance, Sander said, once they learn about that process. Companies may also be turning down first-party insurance because of the hush-hush nature that often clouds specific attacks. It's widely believed that companies with security breaches tend not to report it to law enforcement or insurers. "When a company has their systems hacked into and they suffer losses, they don't like to advertise it," said Bob Bregman, senior research analyst with the International Risk Management Institute. "Because if someone hacks into your system it's not the same as saying your plant was destroyed by fire. There are different implications." Companies that do consider cyberinsurance have a lot of research to do. Insurers have a wide variety of packages to offer, as they try to get their hands around the risk involved, with little historical information to help determine values. "Traditional (insurance) products have decades of loss information where we can generate a premium that is razor thin because you have this ability to understand the losses of the past," said Ty Sagalow, chief operating officer of AIG's eBusiness Risk Solutions group. Not so with cyberinsurance. Because risk from electronic failures has so little history, some insurance companies, like AIG, offer it as a separate policy. Other insurers, however, include certain basic forms of cyberinsurance in general liability packages. Nonetheless, Sagalow thinks that ultimately all insurers will offer cyberinsurance separately because it's a unique risk that should be handled by the insurance company's specialists. Not everyone agrees. "Over time the coverage will be included in the package," AH&T's Sander said. He points to The St. Paul Companies and The Chubb Group, both of which offer general liability policies that cover loss and recovery of data that may occur because of a physical event, such as an electrical power surge or a fire. In April, St. Paul instituted a $10,000 limit on business interruption and data loss resulting from hacker attacks or viruses into its general liability plan, Sander said. Companies that want more will have to pay extra for it. The price varies depending on the size of the company, as well as the types and amount of coverage. Fortune 500 companies could spend hundreds of thousands a year for robust coverage with high limits, Sagalow said. AIG will cover as much as $25 million or even more if a company wants it. Small companies, on the other hand, could take out a policy that's as low-priced as $999. Government encouragement Even though the insurance industry is clearly hammering out the wrinkles of this new type of insurance, a push by the federal government may lead more companies to buy it. Dick Clarke, the adviser to President Bush for cybersecurity and chairman of the President's Critical Infrastructure Protection Board, thinks the widespread use of cyberinsurance will raise the bar on security. "They'll say things like, 'We'll give you cyberinsurance if you buy the following products and do the following things,' " he said. Clarke is particularly interested in promoting cyberinsurance for companies involved in railroads, aviation, banking, power, telecommunications, oil and gas. "If you look at our critical infrastructure, 90 percent of it or more is owned by the private sector," said Clarke. The government can protect the physical assets of those companies with troops and tanks, but "when the attack comes over cybernetworks, it's very hard for the government to defend them," he said. Nancy Gohring: 206-464-2140 or ngohringat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 02:59:50 PDT