[ISN] Cyberinsurance may cover damage of computer woes

From: InfoSec News (isnat_private)
Date: Tue Jul 30 2002 - 00:33:06 PDT

  • Next message: InfoSec News: "[ISN] Wi-Fi honeypots a new hacker trap"

    By Nancy Gohring
    Seattle Times business reporter
    July 29, 2002 
    In February 2000, online hackers launched what's known as a "denial of
    service" attack, shutting down eBay, Amazon.com, CNN.com and other
    major Web sites for as long as three hours. By some estimates, the
    event cost the companies $1.2 billion.
    Traditionally, such attacks haven't been covered by insurance. In
    industry lingo, the companies were "self-insured," meaning they were
    responsible for their own losses.
    But as online attacks and viruses continue to wreak havoc - and at a
    time when security is increasingly a top-of-mind concern - insurers,
    technology companies and the federal government are working toward a
    solution to protect companies from losses.
    The idea that has emerged is being called cyberinsurance, and it
    covers almost anything related to information technology, including
    losses resulting from viruses, hacker or denial of service attacks,
    extortion, and copyright and privacy infringement.
    So far, some insurers are including coverage for basic problems in
    their general liability offerings, but most are asking customers who
    want significant coverage to pay for separate packages.
    High-tech companies are the most likely to buy cyberinsurance in case
    their services or products fail their customers. But the insurance
    industry wants all companies with any sort of Internet connection to
    take out cyberinsurance, and the federal government is particularly
    hopeful that companies in industries traditionally considered
    utilities will buy it.
    In fact, the insurance industry predicts that cyberinsurance will be a
    $2.5 billion market in 2005, according to the Insurance Information
    In the meantime, insurers are experimenting with how to offer it,
    while struggling to persuade companies to buy it. It's not clear at
    this point how many companies have signed up for cyberinsurance.  
    American International Group, a known name in the field, has issued
    more than 2,000 policies, but if you ask companies about
    cyberinsurance, many will say they've never heard of it.
    Those companies may be some of the same that have experienced losses
    resulting from security failures. The Computer Security Institute and
    the FBI's Computer Intrusion Squad in San Francisco found 90 percent
    of companies surveyed recently had detected security breaches in the
    past year, though only half of them were able and willing to quantify
    their losses - about $455 million in the past year.
    Third-party coverage
    As a practice, few companies buy insurance to cover losses they may
    incur when internal systems fail. Instead, they more commonly buy
    third-party cyberinsurance, which protects against damage to customers
    or someone other than the company.
    "People buy insurance for things outside of their control that are
    catastrophic in nature, like being sued," said Ned Sander, managing
    director for the Seattle office of AH&T Technology Brokers, an
    insurance broker serving small and medium-size technology businesses
    in Seattle.
    An example is Amaze Entertainment, an AH&T customer and Seattle
    company that develops electronic games for publishers such as
    Electronic Arts. When it comes to insurance, Amaze negotiates with its
    publisher-customers whether to insure its products.
    "We'll say that we'll buy it if you want it, but you'll pay more for
    the project," said Mike Dean, director of finance with Amaze. Such
    insurance would cover losses to Amaze's customers in case, for
    example, the customer sells Amaze software to end users and the
    software is faulty. If Amaze's customer had to recall the product and
    offer refunds, insurance would cover the losses.
    But when companies look at first-party insurance, which would pay for
    loss to the company itself, they tend to pass. "A lot of times these
    IT guys say if I buy a policy it admits I'm not doing my job well
    enough," Sander said.
    Amaze hasn't invested in first-party cyberinsurance. "We're not
    worried about our systems crashing," said Dean.
    Complicated applications
    Companies also shy from first-party insurance because it can be
    complicated to buy. Insurance companies usually require an in-depth
    evaluation of the potential customer's systems - sometimes at a cost
    to the customer - as well as a lengthy, complicated set of forms.
    Some companies decide against first-party insurance, Sander said, once
    they learn about that process.
    Companies may also be turning down first-party insurance because of
    the hush-hush nature that often clouds specific attacks. It's widely
    believed that companies with security breaches tend not to report it
    to law enforcement or insurers.
    "When a company has their systems hacked into and they suffer losses,
    they don't like to advertise it," said Bob Bregman, senior research
    analyst with the International Risk Management Institute. "Because if
    someone hacks into your system it's not the same as saying your plant
    was destroyed by fire. There are different implications."
    Companies that do consider cyberinsurance have a lot of research to
    do. Insurers have a wide variety of packages to offer, as they try to
    get their hands around the risk involved, with little historical
    information to help determine values.
    "Traditional (insurance) products have decades of loss information
    where we can generate a premium that is razor thin because you have
    this ability to understand the losses of the past," said Ty Sagalow,
    chief operating officer of AIG's eBusiness Risk Solutions group.
    Not so with cyberinsurance. Because risk from electronic failures has
    so little history, some insurance companies, like AIG, offer it as a
    separate policy. Other insurers, however, include certain basic forms
    of cyberinsurance in general liability packages.
    Nonetheless, Sagalow thinks that ultimately all insurers will offer
    cyberinsurance separately because it's a unique risk that should be
    handled by the insurance company's specialists.
    Not everyone agrees. "Over time the coverage will be included in the
    package," AH&T's Sander said. He points to The St. Paul Companies and
    The Chubb Group, both of which offer general liability policies that
    cover loss and recovery of data that may occur because of a physical
    event, such as an electrical power surge or a fire.
    In April, St. Paul instituted a $10,000 limit on business interruption
    and data loss resulting from hacker attacks or viruses into its
    general liability plan, Sander said. Companies that want more will
    have to pay extra for it.
    The price varies depending on the size of the company, as well as the
    types and amount of coverage. Fortune 500 companies could spend
    hundreds of thousands a year for robust coverage with high limits,
    Sagalow said.
    AIG will cover as much as $25 million or even more if a company wants
    it. Small companies, on the other hand, could take out a policy that's
    as low-priced as $999.
    Government encouragement
    Even though the insurance industry is clearly hammering out the
    wrinkles of this new type of insurance, a push by the federal
    government may lead more companies to buy it.
    Dick Clarke, the adviser to President Bush for cybersecurity and
    chairman of the President's Critical Infrastructure Protection Board,
    thinks the widespread use of cyberinsurance will raise the bar on
    "They'll say things like, 'We'll give you cyberinsurance if you buy
    the following products and do the following things,' " he said.
    Clarke is particularly interested in promoting cyberinsurance for
    companies involved in railroads, aviation, banking, power,
    telecommunications, oil and gas.
    "If you look at our critical infrastructure, 90 percent of it or more
    is owned by the private sector," said Clarke. The government can
    protect the physical assets of those companies with troops and tanks,
    but "when the attack comes over cybernetworks, it's very hard for the
    government to defend them," he said.
    Nancy Gohring: 206-464-2140 or ngohringat_private
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Tue Jul 30 2002 - 02:59:50 PDT