The network is the risk: in August, the Zotob virus disabled CNN and ABC News, showing how vulnerable computer networks really are. In the financial services world, e-thieves can make off with financial data without leaving a trace. Corporate risk managers are beginning to recognize this exposure, and acting to mitigate it
Paula L. Green
As computer criminals become as sophisticated and swift as the technology they use to commit their crimes, corporate executives are taking a closer look at whether they should invest in network-risk insurance.
No longer just the province of Internet companies or e-retailers, network-risk cover gives companies vital financial protection in a business world where computer viruses can sweep around the globe in seconds and computer hackers can quickly abscond with the most intimate financial details of a company’s customers. And as more businesses turn to the digital world for everything from accounting tasks to ordering supplies, and lawmakers up the liability ante for privacy breaches, corporate insurance buyers are taking note.
“Risk managers are increasingly saying, ‘Do I have this exposure, and how do I address it?'” says Norman Rafsol, senior vice president and chief underwriting officer in the professional liability division at American International Group Inc. in New York. “And the key is technology … which has increased the scale of the potential losses. It’s just not dumpster divers (looking for credit-card imprints) anymore. Criminals have more access to more information.”
“The threat to the balance sheet can be significant,” adds Brad Gow, vice president, ACE professional risks, at ACE USA in Philadelphia. “And with so many companies doing more business online, many types of companies, whether retailers or manufacturers or service companies, have some degree of exposure.”
First developed about a halt-dozen years ago, the cover can provide a business with first-party and third-party protection against the tricky intangible losses that can occur when the complex security systems protecting its computer network break down. First-party cover would help a company recover the expenses involved in repairing their database of customers, for example, if it were damaged by a computer hacker who was able to implant a malicious code. The coverage should compensate a company for the cost of hiring technology experts to come in and rebuild the database, as well as the business-interruption costs resulting from the temporary loss of information.
Third-party protection is the cover capturing the attention of executives as they read the spate of media headlines about data theft–such as the CardSystems Solutions Inc. fiasco this summer that may have exposed 40 million credit-card holders to fraud. If a computer hacker breaks a credit-card company’s code, penetrates its firewall and taps into its database to release Social Security numbers and other sensitive data, a network-risk policy would cover the damages to the company’s customers whose privacy has been violated.
Its protection would also cover scenarios that involve authorized access and unauthorized use. So if a credit-card-company employee taps into 100,000 credit-card accounts, copies the data and sends it off to an accomplice in Southeast Asia, who then opens up new accounts and charges the maximum to each card, the network-risk cover also should kick in.
MORE ASSETS, MORE COVERAGE
Industry experts say interest in the coverage has surged over the last few years as more businesses place more information online and courts hand down rulings that exclude so-called “intangible assets,” like computer data, from the array of perils covered in general property and liability policies.
At the start of 2002, ISO, the industry’s underwriting standards group, put out new policy forms that further reduced the exposure of insurance companies.
“The ways that people do business are increasingly dependent on electronic processes,” says Kevin Ralinich, managing director of technology and professional risks at Aon Financial Services Group in Chicago. “And general liability policies are excluding intangible assets. This type of law can impact the financial statements of companies.”
And it’s not only court rulings that are placing pressure on corporations to be sure that financial losses stemming from these computer security breaches are covered. The more stringent reporting requirements of federal legislation such as the Sarbanes-Oxley Act of 2002, the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 are also generating anxieties in board rooms and executive offices around the country.
“The Sarbanes-Oxley Act subjects entities to accountability and internal control requirements. Section 404 requires public companies to qualify and quantify their risk. Ignoring network risk would be a violation,” says Kalinich, adding that the law does not require public companies to purchase network-risk cover.
The financial services industry–the keeper of billions of pieces of confidential customer information from Social Security numbers to credit ratings–has become more vulnerable to acts of cybercrime as it minds the privacy and security requirements of the Gramm-Leach-Bliley Act. And state legislation is also intensifying their vulnerability as laws–like the California Database Protection Act of 2003–expect data holders to notify customers when their data has been stolen or lost. Health-care companies are also finding themselves at the mercy of computer criminals as HIPAA forces them to carefully guard the confidentiality of their patient information.
Christopher Keegan, senior vice president and national cyberpractice leader at Marsh Inc. in New York, agrees that court rulings that have excluded intangible assets from general liability policies, as well as recent legislative mandates, are partly behind the surge in interest.
“To a great degree, the level of uncertainty is driving the demand for the policies,” says Keegan. “But it’s partly driven by the change in the nature of the hackers. It has shifted from school boys who are making a name for themselves, to international crime rings in Africa or Russia or Asia. They’re ramping up their efforts as there are more and more places for them to attack.”
An Aon study of the 2004 insurance purchases of 2,000 Aon clients with annual revenues of more than $100 million showed that about 95 percent of Internet-based companies have network-risk cover; 58 percent of e-retailers have secured the cover; and 17.5 percent of all other entities, from manufacturing companies to educational institutions, bought the insurance.
Five years ago, less than 5 percent of total insureds bought this type of insurance, and even two years ago, the buyers were less than half of what they are today, Ralinich says.
Keegan believes another reason behind the buying surge is that the softer property/casualty market has freed up corporate insurance budgets for this relatively pricey product. Premiums vary widely–depending on the industry, the size and loss history of a company, and the uses of its computer network.
“Financial institutions with a trading floor that rely on a computer system for billions of dollars of trading are going to have more exposure than a manufacturing firm,” Keegan explains.
Retentions are heading upward, but pricing remains steady and can range from $7,000 per $1 million of cover for a company at low risk to $45.000 per $1 million of coverage for a firm with high risk.
And the string of recent security breaches and growth of cybercrime haven’t been lost on the reinsurance world. The half-dozen or so reinsurers that handle this specialized risk are becoming more selective and even dictating exclusions and other coverage terms, industry observers say.
Reinsurers–fully aware that a massive assault on global computer systems could have greater ramifications on their bottom lines than even a terrorist attack or a record-breaking earthquake–are closely analyzing the book of business of their insurance clients to be sure they are not overexposed, Gow says.
“There are no geographic limits, no industry limits with a worldwide computer virus that could spiral around the world,” Gow says. “Reinsurers working with multiple carriers in multiple countries are being yew careful.”
PAULA L. GREEN, a freelance journalist based in New York, writes about national and international business topics. She can be reached at riskletters@lrp.com.
COPYRIGHT 2005 Axon Group
COPYRIGHT 2005 Gale Group
