ADDRESSING E-Commerce EXPOSURES.Too few companies have recognized the scope of the dangers posed by e-commerce liability and taken steps to manage them, say insurance companies and brokers. Corporate America has jumped eagerly into the electronic commerce arena, with many companies reaping the initial rewards of instantaneous communication, transactional capabilities and market penetration Noun 1. market penetration - the extent to which a product is recognized and bought by customers in a particular market penetration - the act of entering into or through something; "the penetration of upper management by women" . But the potentially disastrous financial exposures created by this new venue have been largely overlooked. Corporate risk managers, who until recently focused primarily on bricks and mortar A store (shop, supermarket, department store, etc.) in the real world. Contrast with clicks and mortar. and liability-related exposures directly linked to their individual enterprises, must now take a wider view. Once online experts warn, a company opens itself to an expanded range of serious exposures that require a committed response -- a commitment originating not from the risk management or information technology departments, but from the board-room itself. Its been hard to persuade corporate leaders that e-commerce, with all of its benefits, has left their companies vulnerable to a myriad of accidental and intentionally created loss scenarios, insurers and brokers report. Their observations were affirmed in survey results released earlier this year by The St. Paul St. Paul as a missionary he fearlessly confronts the “perils of waters, of robbers, in the city, in the wilderness.” [N.T.: II Cor. 11:26] See : Bravery Cos., the St. Paul, Minn.-based global insurer, and conducted by the New York-based opinion research firm of Schulman, Ronca & Bucuvalas Inc. According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. that survey, which queried 1,350 risk managers in large U.S. and European corporations, only 25 percent of U.S. companies and 30 percent of their European counterparts had risk management committees or other formal structures to identify and monitor technology. Of the companies with such a committee or structure, only half -- or about 13 percent of total respondents -- felt it was effective. And only about three in 10 risk managers surveyed had reviewed the potential technological risks posed by a merger or acquisition involving their company. "While we had the impression this topic was not yet a major issue among executives and risk management, we were shocked at the lack of knowledge and under-preparedness that surfaced," says Kae Lovaas, president of Global Technology Underwriting, a division of The St. Paul, recalling her company's reaction to the survey results. "As businesses rely increasingly on technology, employees and customers have increased access to company data and information in an environment with untested legal liabilities. The global nature of e-commerce, varying legal systems and the speed with which new innovations are brought to market further complicate the challenges facing companies today," Lovaas observes. "There is a leadership opportunity on this issue in many companies. Senior management has the responsibility to take the lead and foster a partnership approach between their IT departments and risk management functions." As the scope of technology and its resulting exposures expands, so, too, have the insurance products available to help companies address these risks. Yet brokers caution that coverage for these cyber-exposures is often limited or excluded in a company's property, commercial general liability and other more traditional policies. Recognizing Risks Proper risk management starts with recognition of the problem. R. Bryan Tilden, president of Tilden and Associates, a Pittsboro, N.C.-based training and consulting company Noun 1. consulting company - a firm of experts providing professional advice to an organization for a fee consulting firm business firm, firm, house - the members of a business organization that owns or operates one or more establishments; "he worked for a targeting the insurance industry, emphasizes that executives need to recognize and address exposures arising out of e-commerce. These exposures, he adds, have become magnified as more and more of the world's communications and transactions are conducted online -- a trend he says is likely to continue. Fully 80 percent of businesses reported an Internet presence at year-end 2000, Tilden says. Citing statistics gleaned from a variety of technical sources, Tilden also noted: Web-page growth tripled in only one year; Internet traffic Internet traffic is the flow of data around the Internet. It includes web traffic, which is the amount of that data that is related to the World Wide Web, along with the traffic from other major uses of the Internet, such as electronic mail and peer-to-peer networks. doubles every 100 days; email transactions outnumber "snail mail Mail sent via a country's government-regulated postal system. (messaging) snail mail - (Or "snailmail", "smail" from "US Mail" via "USnail"; "paper mail"). Bits of dead tree sent via the postal service as opposed to electronic mail. " 10-1; and 25 percent of the U.S. population is buying products or services on line. Tilden observes, however, that many corporate executives have a head-in-the-sand attitude toward e-commerce exposure -- perhaps mistakenly assuming that if they aren't actively selling products online exposure is minimal or even nonexistent non·ex·is·tence n. 1. The condition of not existing. 2. Something that does not exist. non . "They're wrong," Tilden cautions, warning that any online presence, even if limited to a passive Web site existing solely to promote the company, potentially opens the door to e-commerce-related losses. Experts also warn that companies are vulnerable not only to potential losses stemming from catastrophic events or human error, but to a wide range of potential loss scenarios arising out of intentional acts. One technology expert reported that in the last five years alone, more than 65,000 computer viruses have been identified, with some of the more destructive -- and highly publicized pub·li·cize tr.v. pub·li·cized, pub·li·ciz·ing, pub·li·ciz·es To give publicity to. Adj. 1. publicized - made known; especially made widely known publicised -- strains wreacking havoc in both corporate and personal computers around the world. Computer hackers, added Tilden, have become so brazen bra·zen adj. 1. Marked by flagrant and insolent audacity. See Synonyms at shameless. 2. Having a loud, usually harsh, resonant sound: "sudden brazen clashes of the soldiers' band" that they held their first-ever International Hackers Convention in the Netherlands last year. Disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees, who once may have avenged a·venge tr.v. a·venged, a·veng·ing, a·veng·es 1. To inflict a punishment or penalty in return for; revenge: avenge a murder. 2. themselves on their employer by destroying a handful of paper files or raiding the supply closet Noun 1. supply closet - a closet for storing supplies closet, cupboard - a small room (or recess) or cabinet used for storage space , now pose a far wider threat. Even questionable materials downloaded onto an individual worker's computer screen -- or disseminated among workers via email -- potentially opens the company to a wrongful employment practices action if the material is alleged by others to create a hostile workplace. E-commerce risks multiply as corporate America continues to move away from an environment characterized by isolated data centers toward one more intricately connected through technology, notes Emily Freeman Emily Freeman is a British senior female runner from the. She is currently associated with the Yorkshire / Wakefield Harriers & AC. In 2006, her UK Athletics ranking in the 100m is 5th, with a best time of 11.40 seconds. , senior vice president at New York New York, state, United States New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of City-based Marsh Inc., a leading risk and insurance services firm. Yet while technology may have spawned the exposures, Freeman argues that it is ultimately senior management and the directors who must lead the battle to address them. Observes Freeman: "It's a governance issue -- a business risk issue that can't be solved alone at the level of technology, for it engages a number of different business functions. [That] requires a multidimensional mul·ti·di·men·sion·al adj. Of, relating to, or having several dimensions. mul  ti·di·men approach."
Marsh is working with AT&T Corp. to provide AT&T enterprise Web-hosting customers with a comprehensive e-business "Net Secure" insurance product. Freeman identifies other e-commerce-created exposures that can result in serious losses, including those associated with: Internet liability errors and omissions errors and omissions n. short-hand for malpractice insurance which gives physicians, attorneys, architects, accountants and other professionals coverage for claims by patients and clients for alleged professional errors and omissions which amount to negligence. ; privacy violations; denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. ; intellectual property, content and advertising offenses; security breaches; Internet and network wrongful acts, including disclosure of electronic information; crisis management; and threats and extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with . Growing numbers of insurers are developing specific e-commerce products and are calling on corporate executives to demonstrate clue diligence in exercising aggressive risk management steps. Corporate risk management professionals should work closely with their broker to conduct a coverage-to-exposure evaluation, says Philip A. Eifert, an associate with Keevily Spero Whitelaw Inc., a Harrison, N.Y.- based insurance agency specializing in technology insurance. While such an evaluation may determine that some coverage exists for e-commerce-related risks, the more effective strategy, he emphasizes, is to buy a stand-alone policy crafted specifically to address the exposures e-commerce creates. "While the Internet presents many opportunities to a business, it is also a threat. As a company's technological sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. increases, so, too, does its need for specialty coverage to respond," says Eifert. Yet, identifying these exposures is the first and often most problematic step that corporate executives and their brokers face. Among the questions Eifert has developed to help companies ascertain their need for specialized e-commerce coverage include: * Does coverage currently exist for valuable records and clara? Eifert notes that "intangible assets" are now considered the most valuable assets of more information-centric businesses and may not be recognized in traditional policies as "physical property." * Does the company conduct business on line? If so, it could be exposed to a loss of income and additional expense losses if the Web site goes down and causes a business interruption. * Does the company allow online credit card orders on customer accounts and, if so, how is credit card information stored? Eifert warns that even "secure" sites can be cracked, potentially creating a significant liability exposure if this sensitive information is improperly handled. * Does the company have both a contingency plan A plan involving suitable backups, immediate actions and longer term measures for responding to computer emergencies such as attacks or accidental disasters. Contingency plans are part of business resumption planning. and back-up procedures in place to restore data? Likewise, does the company have written -- and enforced -- security procedures to restrict and control system access? * Does the company ever publish or post to the Internet? If so, what sort of content clearance procedure is in place to assure ownership of the material? * Does the company have a "firewall" to repel re·pel v. re·pelled, re·pel·ling, re·pels v.tr. 1. To ward off or keep away; drive back: repel insects. 2. hackers and alert the company if an attempt has been made to breach the system? * Does the company have access to Internet email and, if so, is there a written company email policy? Ty R. Sagalow, chief operating officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. of AIG AIG addressee indicator group (US DoD) AIG American International Group, Inc AiG Answers in Genesis (religious group in defense of Scripture) AIG Artificial Intelligence Group AIG Australian Industry Group eBusiness Risk Solutions, a division of New York City New York City: see New York, city. New York City City (pop., 2000: 8,008,278), southeastern New York, at the mouth of the Hudson River. The largest city in the U.S. based American International Cos., warns that failure to address Internet exposures can be devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. , "taking a heavy toll on a company's profitability -- not to mention its brand, corporate image and its stock value." In his view, traditional insurance products, written for a world that no longer exists, "are not up to the task of dealing with today's cyber-risks." Yet Sagalow and other technology experts concede that the act of purchasing a cyber-insurance policy isn't enough; companies must adopt a comprehensive risk management strategy to address their e-commerce exposures. "Companies need a lot more than insurance -- they need relationships with technology companies to prevent or reduce the loss," observes Sagalow, whose company offers the "AIG netAdvantage Suite" of five different insurance products to address a broad range of Internet risks. Specifically, Sagalow says a company's risk management strategy must embrace four key areas -- people, procedures, technology and insurance. He stresses that a tightly monitored and enforced e-commerce risk management strategy, backed by strong security and insurance components, will go a long way toward ensuring that companies do not become victims of the technology they have so willingly embraced. Barbara Morris is a freelance business writer in New Jersey who specializes in risk management issues. Experts advise companies to take the following steps to address their e-commerce exposure: * Establish an empowered organizational structure  This article has no lead section.To comply with Wikipedia's lead section guidelines, one should be written. , with representation from key departments, to work through the process of addressing the company's cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. risks. * Conduct a thorough analysis of the enterprise's use of technology to identify where potential exposures lie. * Establish technology-use protocols and procedures to be followed consistently by all employees, and monitor these for compliance. * Use state-of-the art security technology to protect company systems from intrusion. * Obtain the necessary insurance products to transfer the e-commerce risk from the company's balance sheet. * Consider hiring outside cyber-risk consultants, who can supply both the expertise and objective perspective the company may need. Experts also emphasize that to be successful, a company's e-commerce risk program must be proactively supported from the top. They also caution that while e-commerce risk may, at first glance, appear to be the sole function of risk management, any program must break down traditional silos and address cyber risks across all departmental functions. As one insurance executive points out: "A lot of people either don't want to touch the issue of cyber risk or are only comfortable addressing a piece of it. If you look at cyber risk as a pie, they've only touched a slice." The cyber-risk strategy that engages the full range of a company's business functions will ultimately bring the best results. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion