Cyberliability: With little, if any, insurance coverage currently available to businesses to protect against tosses that occur in cyberspace, the only viable option to fill this gap is self-insurance. (Information Technology).Increasingly, companies are realizing that traditional insurance does not cover losses in "cyberspace" -- primarily because insurance policies were written before the Internet, Web sites and e-commerce emerged. However, as the number of high-cost damages from computer viruses, hacker attacks and privacy lawsuits increase, the demand for cyber insurance coverage grows. Are you affected? According to Kay Lovaas, president of global technology, St. Paul Companies, Inc., cyber risk can be grouped into three categories: intellectual property (trademark, patent and copyright infringements), privacy (credit card information, social security numbers and other personal data), and network security (computer viruses, access to company information by hackers or employees). In 2001, The Computer Security Institute in San Francisco surveyed 538 computer security practitioners in the U.S. to determine the impact of online security breaches. According to the survey, 85% of the respondents said they had detected a computer security breach within the last 12 months. In addition, 64% of the respondents said that they had suffered financial losses due to these breaches (35% of this group admitted to total losses of $377.8 million). However, most observers believe losses are much higher. The breadth of the problem is difficult to determine because most online security breaches are well-kept secrets, notes Tracey Vispoli, cyber solutions manager at Chubb Insurance Co. of Canada (Chubb). However, any company that operates in today's technologically advanced world and uses computers, the Internet or e-mail in conducting business is vulnerable and a potential target for cyber attacks. Are you protected? If a computer virus attacks your system and your company Web site is offline for a few days, will your insurance company cover the lost sales or lost income from advertising revenues? What about the cost of a lawsuit from angry customers who discover that a hacker stole their credit card numbers due to a hole in your network security? Although attacks on corporate networks are becoming more common, as is the unauthorized use of networks and computers to plan or execute other cyber crimes, insurance companies are making it clear that existing policies do not cover the resulting losses. In the U.S., a recent federal court decision -- American Guarantee & Liability Insurance Company vs. Ingram Micro Inc.--ruled that the loss of computer access and functionality caused by computer viruses, hacker attacks and power outages may be part of business interruption (BI) policies. Nevertheless, insurance companies are starting to rework their existing polices to specifically exclude or severely limit the losses resulting from "cyberspace." Still, many companies want computer virus coverage; however, few, if any, insurers in Canada currently offer it. Unlike other policies, there are currently no Insurance Bureau of Canada (IBC) wording benchmarks for "cyber policies." John Mitchell of the IBC states that the bureau has been reviewing this area, reassessing current policy wordings to "waterproof the ones that exist" and clarifying the exclusion of cyber coverage from existing policies. Specifically, the IBC has released revised policy wordings to member insurance companies for three existing policies -- Commercial General Liability (CGL), Building Equipment & Stock All-Risk, and Business Risk coverage. They also intend to provide member insurance companies with an outline of how to identify the risks, what they should consider covering and what they should not cover, as well as suggested supplementary coverage, such as electronic data processing coverage. Chubb is one of the only insurers in Canada that offers a policy to protect companies against computer hackers. Currently available only to financial institutions across Canada, it protects against security breaches to their Web sites or internal computer networks, as well as theft of customer information, Web site vandalism and denial-of-service attacks that prevent users from accessing online services. Vispoli says that Chubb intends to offer a similar policy to non-financial institutions in the future. Although there has been some indication from the insurance industry that they are considering enhancements to the traditional policies to fill some of the potential gaps for certain types of cyberliability coverage, the demand for such coverage will inevitably result in the recognition of cyber insurance as a stand-alone product. What to do in the meantime While insurance companies are in the process of coming to grips with the impact of offering cyberliability insurance, your company must protect itself. With little, if any, cyberliability insurance coverage currently available to businesses, the only viable option to fill this gap is self-insurance. Businesses must, therefore, manage the associated cyber risk by: * performing a security evaluation (i.e. studying every facet -- from hiring practices to corporate and information technology, and from database access controls to the locks on the doors); * implementing controls and building stronger security into the infrastructure itself to minimize the cyber risks; and * establishing a contingency fund to cover potential costs if a disaster strikes. Damages to computers and electronic networks can cost a business more than a fire or flood would. Most companies think it won't happen to them, but the risk is real. If your company doe not have cyber risk coverage, consider self-insurance to protect it from the damages and losses that can result. The final analysis Companies operating in today's high-tech world have computer networks that allow internal and external e-mail as well as connections to the Internet. This gives employees the ability to send and receive e-mails from clients and suppliers all over the world and provides the world access to a Web site containing information about their companies, and even the ability to trade electronically. The creation of cyberliability insurance policies is inevitable if the insurance industry is to meet the needs of today's businesses and protect them financially from losses that may occur in cyberspace. In the meantime, however, self-insurance may be the only viable option to mitigate the effects of a potential disaster. Hafsa Esmait. CMA, is a forensic accountant at h+a Forensic and Investigative Accounting a company that specializes in forensic and investigative accounting and computer forensics.
Table 1
Examples of Cyber Crime Cases Prosecuted in the U.S.
Perpetrator Company Estimated Loss
Ex-employee Omega Systems $10,000,000
Employees Cisco Systems $6,500,000
Various N/A $1,500,000
Hackers
Employee GTE $209,000
Ex-Employee Lance Inc. $100,000
Perpetrator Details
Ex-employee Fired employee left computer
program to wipe out company
software
Employees Accountants used computer
system to steal company stock
Various Hacker group disrupted telecom
Hackers companies' teleconference
services
Employee Disgruntled employee destroyed
computer data
Ex-Employee Employee left "code bomb" in
computer that disabled the
systems
Source: U.S. Department of Justice
|
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion