Deleting the risk: Hackers invading corporate Web sites by using more sophisticated techniques fuel the market for cyber-risk insurance. (Cyber-Risk: Technology).As viruses and worms gobble up Verb 1. gobble up - eat a large amount of food quickly; "The children gobbled down most of the birthday cake" garbage down, shovel in, bolt down eat - take in solid food; "She was eating a banana"; "What did you eat for dinner last night?" data and hackers assault businesses, the market for cyber-risk insurance is growing. The first lines of technological defense--firewalls and patches--are no longer impenetrable, leading to more attacks. The problem appears to be widespread. Of those responding to the "2002 Computer Crime and Security Survey," 90% said they had discovered computer security breaches within the last year. The survey, conducted by the Computer Security Institute and the FBI's San Francisco San Francisco (săn frănsĭs`kō), city (1990 pop. 723,959), coextensive with San Francisco co., W Calif., on the tip of a peninsula between the Pacific Ocean and San Francisco Bay, which are connected by the strait known as the Golden field office, also found that 80% of respondents suffered financial losses due to computer breaches. The recent hacking of Ford Motor Credit Co.'s computer database illustrates the potential loss and devastation present in cyber-risk. Entering through a database operated by credit-reporting agency Experian, hackers downloaded the Social Security numbers and addresses of 13,000 customers. This type of personal information can be used to apply for credit cards or mobile phone service. Both Ford and Experian could be sued for failing to keep confidential information Noun 1. confidential information - an indication of potential opportunity; "he got a tip on the stock market"; "a good lead for a job" steer, tip, wind, hint, lead out of the hands of hackers. But as another recent survey indicates, buying Internet-related insurance still isn't top of mind with most corporate executives. A recent St. Paul St. Paul as a missionary he fearlessly confronts the “perils of waters, of robbers, in the city, in the wilderness.” [N.T.: II Cor. 11:26] See : Bravery Cos. survey of 251 risk managers of large corporations found that the majority are unprepared to assess Internet-related risks. Even though they expect the risks to escalate within the next two years, few risk and information-technology managers surveyed said they would consider adding insurance coverage. Instead, risk managers are relying on their company's information-technology investment to prevent security breaches and existing insurance policies to cover losses if a breach occurs. This practice is folly, and many insurers are clarifying their commercial property/casualty policies to separate coverage of tangible and intangible property intangible property n. items such as stock in a company which represent value but are not actual, tangible objects. , said David O'Neill, vice president of e-business solutions for Zurich North America North America, third largest continent (1990 est. pop. 365,000,000), c.9,400,000 sq mi (24,346,000 sq km), the northern of the two continents of the Western Hemisphere. . "Computer code and information is intangible. Insurers never underwrote or priced for these new exposures, so now many are sending out clarification notices to policyholders advising that code-related exposures are not covered not covered Health care adjective Referring to a procedure, test or other health service to which a policy holder or insurance beneficiary is not entitled under the terms of the policy or payment system–eg, Medicare. Cf Covered. under traditional insurance lines. The resulting question from many insureds is that if it's not covered, how do I get it?'" he said. Intangible assets are becoming a big issue for businesses. At the same time that insurers are excluding intangible assets from coverage, businesses are being directed by the Financial Accounting Standards Board Financial Accounting Standards Board (FASB) Board composed of independent members who create and interpret Generally Accepted Accounting Principles (GAAP). to state the value of those assets. The value of data and computer code needs to be quantified to measure its portion of a business's market value. Corporations, such as pharmaceutical companies, are discovering that intangible assets are a huge percentage of their market capitalization Market Capitalization A measure of a public company's size. Market capitalization is the total dollar value of all outstanding shares. It's calculated by multiplying the number of shares times the current market price. This term is often referred to as market cap. and are beginning to look at the risk-transfer issues involved. Intangible perils are beginning to damage intangible assets. For example, a virus could wipe Out crucial data. Since most commercial property/casualty policies have no definition for "hacker" or "denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. ," there is room for a new product to cover those risks, said Michael Flanagan, a cyber-insurance broker for Arthur Gallagher. Flanagan compares the slow acceptance by upper management of cyber-risk coverage to the growth pattern of another niche market--employer practices liability insurance. Conning & Co. estimates that cyber-risk insurance accounts for $50 million to $100 million in premium annually, but that could grow to $6 billion by 2006. Only a handful of insurers write the coverage. American International Group
American International Group, Inc. (AIG) (NYSE: AIG; TYO: 8685 ) is a major American insurance corporation based in New York City. has snared a 70% market share, with about 1,200 clients. The remaining 30% includes the London market, Zurich North America, Chubb, St. Paul Cos. and Liberty Mutual. The Conning report, "E-business Insurance Products--Emerging Market or Specialty Coverage?," concludes that there are many questions remaining about the short-term and long-term viability of e-business insurance, such as how quickly the market will grow and concerns about how insurers will manage the global-scale risk for Internet-related catastrophes. "F-business is redefining the what, when, where, how and how much of business-loss exposures. When things go wrong on the Internet, they do so at lightning speed. Devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. losses can hit businesses anywhere in the world," said Clint Harris, a Conning vice president and author of the study. One of the major players in the market, Zurich, warns that to be successful in this niche market A niche market also known as a target market is a focused, targetable portion (subset) of a market sector. By definition, then, a business that focuses on a niche market is addressing a need for a product or service that is not being addressed by mainstream providers. , insurers must have a committed infrastructure and a dedicated practice, because the potential losses are so great and, to some extent, are changing every day. "History is being created every day in this line. You're playing with catastrophic loss; one hit can have a major effect," O'Neill said. Zurich's experience in this line reveals a general weakness in corporate technology-security practices. "On the outside, they are hard and crunchy, but their inside is soft and gooey See GUI. :' he said. Zurich's F-Risk Edge product: offers a cafeteria-style selection of coverage options that clients can choose from to build the cyber-insurance coverage they need. Among the options are protection from unauthorized access to or use of data or software, libel, slander, copyright infringement Noun 1. copyright infringement - a violation of the rights secured by a copyright infringement of copyright plagiarisation, plagiarization, piracy, plagiarism - the act of plagiarizing; taking someone's words or ideas as if they were your own and public disclosure of information. E-Risk Edge also picks up where traditional coverage leaves off. Most commercial policies don't cover the value of stolen intellectual property, software or data. E-Risk Edge reimburses policyholders for the value of the data, money, securities, software and computer resources lost as a result of a covered e-business incident. Liberty Mutual, which launched its cyber-risk product about five months ago, said although there isn't much of a demand for Internet coverage right now from most corporate "users" of the Internet, it is important to build an infrastructure to meet future demands for the product. "We're gearing up for small to medium-size, old-economy companies that are just becoming cognizant of Internet and network exposures," said Carl Pursiano, vice president of technology and Internet development, Liberty Mutual. "Most clients aren't there yet. The most interest is from technology company service providers." Liberty's product includes coverage for wrongful acts on the Internet, such as copyright infringement or plagiarism Using ideas, plots, text and other intellectual property developed by someone else while claiming it is your original work. ; errors and omissions errors and omissions n. short-hand for malpractice insurance which gives physicians, attorneys, architects, accountants and other professionals coverage for claims by patients and clients for alleged professional errors and omissions which amount to negligence. in relation to designing a Web site or conducting e-commerce and technical service; and wrongful acts stemming from consulting, system analysis and data processing data processing or information processing, operations (e.g., handling, merging, sorting, and computing) performed upon data in accordance with strictly defined procedures, such as recording and summarizing the financial transactions of a . Hacking Matures As the sophistication so·phis·ti·cate v. so·phis·ti·cat·ed, so·phis·ti·cat·ing, so·phis·ti·cates v.tr. 1. To cause to become less natural, especially to make less naive and more worldly. 2. of hackers and malicious codes increase, financial losses from cyber-attacks continued to rise for the third consecutive year, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the 2002 CSI/FBI study. The most serious financial losses occurred through theft of proprietary information and financial fraud. KPMG's Global Information Security Survey determined that the average direct loss of security breaches was $108,000, excluding employee downtime and reduced productivity. The Computer Emergency Response Team operating out of Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). reports that hackers implement advanced attack techniques that are more difficult to detect through anti-viral software and intrusion-detection systems. For example, hackers use techniques that hide the nature of the attack tool, causing information-technology departments to rely on laboratory testing and reverse engineering to rectify the problem. In addition, hackers are using automated attack tools that can vary their patterns on random selection and predefined decision paths, according to the CERT report. Hackers also are using new technology to blast through firewalls, and they are increasingly attacking key components of the Internet through denial-of-service incidents and attacks on the Internet Domain Name An organization's unique name on the Internet. The chosen name combined with a top level domain (TLD), such as .com or .org, also called a "domain extension," makes up the Internet domain name. For example, computerlanguage.com is the domain name for the publisher of this Encyclopedia. System, according to other findings from the CERT report. DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the is the directory to translate names to numeric addresses. An attacker can intercept the information on the directory, insert incorrect information and redire ct traffic from the legitimate site to a site under the hacker's control, according to CERT. There are two kinds of hackers -- the professionals and "scriptkiddies," or teen-agers who have a lot of talent and want to see how far they can go--said hacker expert Kevin Ketts of Secure-Works, an intrusion-prevention company. The typical scenario is for a hacker to probe networks looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. vulnerabilities and run an exploit to get to the level of access he or she needs to get data. Ketts said hackers also gain access to companies through social engineering. They can call into a support center of a company and obtain a password or hang out where technology people from a large corporation hang out, get to know them and ask challenging engineering questions in an attempt to fish for information. While most corporations have a degree of security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. , they don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. specifically what to do or how to manage it, Ketts said. The financial-services and healthcare industries are particularly vulnerable to cyber-attacks. "These industries have what people want--credit-card and personal-health information," said Gallagher's Flanagan. Looking back over the seven-year history of the CSI's cyber-risk survey, its director, Patricia Rapalus, sees several truisms emerging. "There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace," Rapalus said. The Financial-Services Niche Chubb's cyber-security product protects banks' "dirty little secret," the fact that the majority of financial institutions are being violated by hackers. The invaders are going after credit-card and Social Security numbers and, in some cases, getting as far as selling the stolen information on Internet sites or chat rooms. "Financial institutions are collecting large amounts of data and discovering it's worth something," said Tracey Vispoli, technology product manager for Chubb. It is estimated that 30% to 40% of attacks are not reported to law enforcement because in a market where security is highly touted, no institution wants the competition to know it is exposed. "No one wants the secret of their vulnerability to be let out. You certainly wouldn't want to put money in a vault that wasn't locked," Vispoli said. Banks particularly need protection because they are so dependent on technology. Even the smallest community banks are embracing technology to compete with the Fleet Banks and Citigroups. According to a 2001 Community Bank Technology Survey from the Independent Community Bankers of America, Internet banking is the leading technology decision this level of bank will face in the near future. This technological entrenchment is the reason regulators like the Federal Deposit Insurance Corp. and Office of Thrift Supervision The Office of Thrift Supervision (OTS) was established as a bureau of the Treasury Department in August 1989 as part of a major Reorganization Plan of the thrift regulatory structure mandated by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (12 U.S.C.A. are recommending that all banks obtain cyber-risk coverage. A typical financial-services cyber-loss, Vispoli said, involves a hacker bridging the firewall of a community bank and extracting private customer information, which he or she threatens to publish if a fee isn't paid. "Banks then face the fact they allowed a breach of security, which could lead to a class-action suit Noun 1. class-action suit - a lawsuit brought by a representative member of a large group of people on behalf of all members of the group class action brought by customers for not supervising their private information properly. Then you have a true loss of money," Vispoli said. Chubb's cyber-risk product, which offers coverage to every segment of the financial-services market, insures in cases of extortion demands, vandalism of a Web site and alteration of its data, business interruption and virus attacks. Chubb uses a Network Security Risk Assessment on-site walk-through of each client's security protocols. It includes the personnel side of the security issue. Chubb asks about who has firing and hiring privileges, how employees are trained in security, whether they are instructed not to open attachments and who is approving third-party information. Critical Security Issues Senior managers responsible for information security in a cross-section of the world's largest orgranizations -- those with gross revenue greater than $50 million -- were asked what they thought were the most important security issues facing their organizations. Viruses 22% Hackers 21% Remote Access Controls 17% Internet Security 10% Data Privacy 5% Education of Users 5% B2B Security When 5% Collaborating With Partners Internet Fraud 4% Theft or Damage to data 4% Other 7% Source: KPMG LLP Note: Table made from pie chart RELATED ARTICLE: Wireless Communications wireless communications System using radio-frequency, infrared, microwave, or other types of electromagnetic or acoustic waves in place of wires, cables, or fibre optics to transmit signals or data. : The Next Big Risk? Using a homemade antennae, wireless card and a regular laptop, hackers--or college students out for fun--are cruising city streets tapping into valuable corporate information. The sensitive business data stored in wireless networks, laptops and personal digital assistants can be scooped up in drive-bys, because wireless security currently is only about 80% effective. "The problem starts when companies forget that wireless communications is not restricted by the walls of the building," said Rick Shaw, president of CorpNet Security. Cyber-risk insurers, such as Zurich North America and Chubb, view wireless communication as a growing field that raises great concerns for risks. Shaw advises users of wireless products to use all the security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security that are built into the devices and limit who can be connected to the network. "Even if using all security techniques, remember if the information is sensitive to make sure it's not going out over a wireless network," Shaw said. Shaw offers the following tips to reduce risk when using a wireless network: * Turn on encryption--most are using wireless encryption protocol. New versions are coming that will be more secure. * Protect drivers and folders with strong passwords (not names or words). * Change the default service set identifier In Wi-Fi Wireless LAN computer networking, a service set identifier (SSID) is a code attached to all packets on a wireless network to identify each packet as part of that network. or wireless network name. * Isolate wireless traffic from primary network traffic. * Establish and educate employees about policies for wireless usage at work and home, password requirements and regulatory usage requirements of Homeland Security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security Department of Homeland Security executive department - a federal department in the executive branch of the government of the United States and the Gramm-Leach-Bliley Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. Moderization Act. |
|
||||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion