Under separate cover: Internet risks have become so great that some insurers have taken them out of general liability policies and given them policies of their own. (Technology: Cyber-Risk).As business went online in the past few years, crime followed. As a result, insurers are creating whole new lines of Internet-risk coverage. Only a few insurers write this new kind of insurance, and commercial customers are just starting to collectively show interest. But many believe cyber-risk will become a significant product line because the Internet is fundamentally altering the way companies do business. Internet risks abound. Hackers--outsiders or employees--can steal, destroy or manipulate data. They can vandalize Web sites or tie up a system by flooding it with worms and viruses. Hackers can extort To compel or coerce, as in a confession or information, by any means serving to overcome the other's power of resistance, thus making the confession or admission involuntary. To gain by wrongful methods; to obtain in an unlawful manner, as in to compel payments by means of threats of companies with threats of attack or disclosure of data, or they can shut down businesses entirely Failure to protect data, particularly of a private and confidential nature, can engender lawsuits. The dangers are so consequential that the federal government has launched its National Strategy to Secure Cyberspace In the United States government, the National Strategy to Secure Cyberspace, is a component of the larger National Strategy for Homeland Security. The National Strategy to Secure Cyberspace was drafted by the Department of Homeland Security in reaction to the September 11, 2001 as an integral part of homeland security Noun 1. Homeland Security - the federal department that administers all matters relating to homeland security Department of Homeland Security executive department - a federal department in the executive branch of the government of the United States It provides direction to federal departments and agencies and guidelines for state and local governments and private industry. Insurers began to come forward with coverages as Internet use exploded in the late 1990s. As people were hurt by breaches in Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. , they began to file lawsuits "in some volume," said attorney Robert Hammesfahr, chair of the International Practice Group at the law firm Cozen coz·en v. coz·ened, coz·en·ing, coz·ens v.tr. 1. To mislead by means of a petty trick or fraud; deceive. 2. To persuade or induce to do something by cajoling or wheedling. 3. O'Connor. These suits deal with privacy issues, theft of identity; network security and economic losses due to disruption. "Most insurers from the beginning have taken the position they're not insuring these kinds of claims," he said. "Under commercial general liability policies, claimants must show bodily injury or tangible third-party property damage. In that regard, case law is quite strong for the insurance companies that traditional policies don't provide coverage." Most insurers have concluded that Internet coverage is too risky because the traditional ways to control losses, such as diversifying geographically, don't apply. Reinsurers, too, either exclude cyber-risk or avoid working with its direct writers, Hammesfahr said. "It took a company like AIG AIG addressee indicator group (US DoD) AIG American International Group, Inc AiG Answers in Genesis (religious group in defense of Scripture) AIG Artificial Intelligence Group AIG Australian Industry Group [American International Group
American International Group, Inc. (AIG) (NYSE: AIG; TYO: 8685 ) is a major American insurance corporation based in New York City. ] or the Lloyd's syndicates to be the pioneers," he said. "AIG always looks for unusual risks, and it had a long history of insuring big computer companies like IBM and Microsoft See Microsoft and IBM. ." He added that Lloyd's, itself a virtual network, likens the scope and unpredictability of the risks to those of covering railroads when it was a new form of transportation. Other major writers include St. Paul St. Paul as a missionary he fearlessly confronts the “perils of waters, of robbers, in the city, in the wilderness.” [N.T.: II Cor. 11:26] See : Bravery Cos., Chubb Group, Zurich American, Hartford and Ace Ltd. Premiums paid in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. last year for cyber-insurance were probably in the $60 million to $120 million range, said Steven H. Haase, chief executive officer of InsureTrust.com, a wholesale program administrator that works with sellers and manufacturers of cyber-risk insurance. That means the product is still a very small part of the overall commercial insurance market, but Haase expects sales this year will double, and the coverage will become a common purchase in two or three more years. "It's going very much the way employment-practices liability went after the Anita Hill For other persons with this name, see . Anita Faye Hill (born July 30 1956) is a professor of social policy, law, and women's studies at Brandeis University at the Heller School for Social Policy and Management sexual harassment sexual harassment, in law, verbal or physical behavior of a sexual nature, aimed at a particular person or group of people, especially in the workplace or in academic or other institutional settings, that is actionable, as in tort or under equal-opportunity statutes. case made it known as a new frontier New Frontier President John F. Kennedy’s legislative program, encompassing such areas as civil rights, the economy, and foreign relations. [Am. Hist.: WB, K:212] See : Aid, Governmental ," he said. "Now we're starting to see broader coverage, greater awareness of risks and more legal activity." External factors are holding up development of the market, Haase said. One is the sluggishness of the economy and corporate profits. The other is that existing insurance rates are up 20% to 40% year over year, so there is a reluctance among company executives to buy new coverage. A third factor is that there is still not a standard definition of corporate negligence when a company is hacked, and negligence has yet to "be really tested" in courts, he said. There is also little pressure on writers to enter the cyber-risk arena, said Hammesfahr. The business requires big commitments to new kinds of underwriting and claims, and writers have only so much capital, he said. Keeping Pace With Clients Chubb focuses its cyber-risk product line on financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. companies, which it found were adopting online technology at a brisk pace. Chubb began writing the business about three years ago. Both foresight and published claims statistics caused Chubb to become a cyber-writer, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. Tracey Vispoli, worldwide manager of financial fidelity in the company's Department of Financial Institutions. "The statistics clearly indicated that financial fraud was rising steadily, not only the frequency, but the severity," she said. "The combination was alarming to us because you under-write either to severity or frequency. And the tools to breach a network are readily available." Chubb came to believe, however, that the higher frequency was linked to more reporting. Fraud on the Internet used to be "a company's dirty little secret," she said. "They would never report the crime because doing so would put them into a competitive disadvantage, or they might not have known a crime was committed. But now under-reporting is becoming a thing of the past." In 2000, Chubb determined that its commercial policies offered only "slivers of coverage," leaving clients the option of self-insurance for most cyber-risk, said Vispoli. The company launched its first product in February 2001 with a focus on first-party protection. Competitors at the time were focusing on liability. "Taking the crime-based approach first was important for us because those exposures are more apparent for a bank." Chubb introduced its new policy, CyberSecurity by Chubb Liability Insurance for Financial Institutions, in February 2003; it offers coverage for both direct loss and liability. Specifically, it covers electronic theft and misappropriation misappropriation n. the intentional, illegal use of the property or funds of another person for one's own use or other unauthorized purpose, particularly by a public official, a trustee of a trust, an executor or administrator of a dead person's estate, or by any , denial or impairment of services, communications, vandalism, threats (kidnap, ransom and extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with ), and electronic signatures. As of May, about 15% to 20% of Chubb's commercial customers were buying the insurance, said Vispoli. New products often take three or four years to gain widespread acceptance, which was the case with employment practices liability and directors and officers, she said. Growing Interest In the previous five months, however, interest has grown briskly with a doubling in the number of applicants--a "phenomenal amount of growth in interest," Vispoli said. One reason is that financial services are more regulated than other industries, and regulators have become aware that cyber-breaches can impact the safety and soundness of an institution. "A mitigating control is that insurance is available," said Vispoli. In a handbook released in December 2002, the Federal Financial Institutions Examination Council The Federal Financial Institutions Examination Council, or FFIEC, is a formal interagency body of the United States government empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions by the Board of sent the message that cyber-risk could impair a bank's or credit union's capital. The FFIEC FFIEC Federal Financial Institutions Examination Council is an interagency in·ter·a·gen·cy adj. Involving or representing two or more agencies, especially government agencies. coordinating body consisting of the Controller of the Currency, the chairman of the Federal Deposit Insurance Corp., members of the Board of Governors of the Federal Reserve System Board of Governors of the Federal Reserve System The managing body of the Federal Reserve System, which sets policies on bank practices and the money supply. , the Office of Thrift Supervision The Office of Thrift Supervision (OTS) was established as a bureau of the Treasury Department in August 1989 as part of a major Reorganization Plan of the thrift regulatory structure mandated by the Financial Institutions Reform, Recovery, and Enforcement Act of 1989 (FIRREA) (12 U.S.C.A. and the chairman of the National Credit Union Administration The National Credit Union Administration (NCUA) is responsible for chartering, insuring, supervising, and examining federal credit unions (FCUs) and for administering the National Credit Union Share Insurance Fund. . Chubb's policies cost from as little as $12,000 for the first million dollars of coverage to about $40,000, Vispoli said. Clients range from small community banks to Fortune 200 organizations. St. Paul Cos., which for 20 years has had a dedicated underwriting unit for technology companies, focuses on cyber-coverage for those companies and for smaller financial institutions, such as community banks and smaller regionals. It launched cyber-risk products in 1999, said Aaron Latto, e-commerce underwriting director, Global Technology Underwriting Unit. The company launched its newest cyber-risk product, Internet Liability Protection, in 2001, It expanded the focus of coverage in response to new risks the company saw, said Latto. A main element of coverage protects against claims arising from a failure to protect the confidentiality of others. "One of the reasons this is top-of-mind is there's a growing regulation and scrutiny of information-protection practices," said Latto. "The financial companies face Gramm-Leach-Bliley regulations, and the health-related industries face HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, [Health Insurance Portability and Accountability Act The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when ] requirements." The tech companies' vulnerabilities stem from their sophisticated online operations in which they sell information to or transfer it with customers. Additional coverages for these companies include limited intellectual property, liability for virus transmission, and claims that arise from online advertising by other companies. The latter is important because tech companies with Web sites often run banner ads or are in partnerships with other firms, said Latto. Writing insurance for smaller banks has been a part of St. Paul's
So far, St. Paul has written hundreds of policies, and the demand for cyber-risk protection is growing "slowly but surely," Latto said. "Some of the really large companies have been the early adopters of this kind of coverage," he said. "Our policyholders tend to be mid-size or smaller, so they have been buying the coverage in increasing amounts each year." Others have been hesitant due to the economic climate, which has been punishing for tech companies, and the hard insurance market, he said. Annual premiums range from as little as $3,000 a year for small companies to more than $100,000 for large ones, Latto said. St. Paul writes in the admitted market, which tends to be more stable, rather than in surplus lines,,, where things can change on a daily basis." AIG Expands Coverages AIG is the dominant cyber-writer with some 2,500 policies issued worldwide in the three and one-half years it has written such coverage. Ty R. Sagalow, executive vice president and chief operating officer Chief Operating Officer (COO) The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president. of AIG eBusiness Risk Solutions, declined to disclose premiums, but concurred with estimates that AIG writes about 70% of the cyber-business. In May, the company announced a significant expansion of its Internet and network coverages, including more kinds of business-interruption losses and for longer periods, forensic and investigative expenses, punitive damages Monetary compensation awarded to an injured party that goes beyond that which is necessary to compensate the individual for losses and that is intended to punish the wrongdoer. for third-party losses, identity theft, and cyber-terrorism coverage, even for noncertified acts of terrorism as defined by last year's federal terrorism law. The expanded coverages are the result of AIG's Six Sigma Not to be confused with Sigma 6. Six Sigma is a set of practices originally developed by Motorola to systematically improve processes by eliminating defects.[1] A defect is defined as nonconformity of a product or service to its specifications. improvement process, which is based on listening to customers, said Sagalow. "Our view is that our coverages are the most robust in the industry," he said. "Most companies don't even offer first-party and third-party coverage. Some offer both, but to one industry segment. We offer to all industries." AIG's suite of cyber-risk policies is in several languages. Most overseas customers are in the United Kingdom, Israel, South America South America, fourth largest continent (1991 est. pop. 299,150,000), c.6,880,000 sq mi (17,819,000 sq km), the southern of the two continents of the Western Hemisphere. and Australia, but most policies overall are sold in the United States. Sagalow credited the scope of coverage to AIG's corporate culture, which seeks to identify new risks and help clients manage them. Internet-risk insurance is the fastest-growing of any new insurance line he has seen in his 20 years with the company, including environmental, directors and officers, and sexual harassment, he said. That corporate culture also encourages stand-alone working groups answerable an·swer·a·ble adj. 1. Subject to being called to answer; accountable. See Synonyms at responsible. 2. That can be answered or refuted: an answerable charge. 3. for their results. About 50 people work in the eBusiness Risk Solutions group. "This group is composed of underwriters, claims personnel, technologists and legal professionals," Sagalow said. "This is all we do. We're not an offshoot, but a standalone organization." It has authority to write up to $25 million of liability coverage per client. Its most simple coverage can cost as little as $1,000 a year, but for bigger companies with large limits and robust coverage, premiums are in the "six figures," he said. With terrorism part of today's world, and despite efforts by government to secure the Internet, vulnerabilities remain real. Earlier this year, hackers came within a breath of shutting down the entire Internet worldwide, said Haase. The Internet has five core connection centers, and three were shut down, he said. "Hacking is a function of computing power and time," said Haase. "If you have enough, you can hack into anything. So the managers of these connections probably identified what was happening, and they made the costs or the time requirements too onerous." Sagalow said there is plenty of evidence al Qaeda will try to attack the Internet. "Every business has an ebusiness risk," he said. "The Internet is like electricity, a part of our society." A single Internet virus earlier this year spread around the world in 10 minutes, he said. A big, successful attack could disable To turn off; deactivate. See disabled. critical infrastructure, such as power plants, water facilities, telephones and in some cases emergency services emergency services Emergency care '…services …necessary to prevent death or serious impairment of health and, because of the danger to life or health, require the use of the most accessible hospital available and equipped to furnish those services' , a kind of cyber Pearl Harbor Pearl Harbor, land-locked harbor, on the southern coast of Oahu island, Hawaii, W of Honolulu; one of the largest and best natural harbors in the E Pacific Ocean. In the vicinity are many U.S. military installations, including the chief U.S. . Such an attack could come anonymously from anywhere. And Vispoli said cyber-terrorists probably have the equipment, the skills and an understanding of the critical components of U.S. infrastructure. She added, however, that she is encouraged that the U.S. government itself understands the danger. "All of the elements are in place to put us at great risk," said Latto. "However, they have been in place for some time, and it hasn't happened yet. The ability to build redundancies into the Internet structure really helps, and government is doing a lot to better tie together agencies and to improve the systems they are running." Latto said St. Paul policies would cover cyber-terrorist attacks under most circumstances, including threats and denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. . AIG has had many takers on its coverage for cyber-terrorist attacks, "especially for critical infrastructure or likely terrorist targets," Sagalow said. Meanwhile, St. Paul is encouraging its policyholders to have risk managers, insurance representatives and information-technology managers to work together. "That could really make a difference," Latto said. "Much more often than not, they do not work together. They do different things, but are all working toward the same goal." RELATED ARTICLE: Web Security on the Web The Web sites listed below provide information on achieving and maintaining Internet security. * Federal Financial Institutions Examination Council: wwwffiec.gov * The National Strategy to Secure Cyberspace: www.whitehousegov/pcipb * The Center for Internet Security: www.cisecurity.org * Financial Services Information Sharing See data conferencing. and Analysis Center: www.fsisac.com * Internet Security Alliance: www.isalliance.org Movement Builds for Cyber-Risk Standards. Like other issues concerning online technology, hacking-related risks generate debate about the merits of industrywide standards. Clint Kreitner, president and chief executive officer of The Center for Internet Security, argues that insurers adopting certain standards as underwriting benchmarks would dramatically decrease the level of cyber-risk. The center is a not-for-profit consortium of member companies that develop security benchmarks for Windows, Solarus and Linux computer operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. and for networks and routers. It has developed a master database with some 3,000 defined vulnerabilities and another 3,000 or 4,000 in the process of being defined. "The magnitude of the exposure is enormous," said Kreitner. About 20% to 30% of vulnerabilities are in software defects, he added. These are usually fixed through manufacturers' patches. The rest are in operating systems, which vendors typically ship without security settings enabled. Buyers are supposed to decide which to turn on, he said. "The nature of implementing those security settings is a process of hardening up the system, like making your house more secure," said Kreitner. "You can add locks to doors and windows Doors and Windows is a multimedia disk by the Irish band The Cranberries. Track listing
adj. 1. Of, relating to, or marked by antithesis. 2. Being in diametrical opposition. See Synonyms at opposite. ." Choosing security settings for an operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. is a "highly technical, arcane task for which most organizations are unprepared," Kreitner said. That realization led to the creation of the center in October 2000. Since then, experts from member companies have developed benchmarks that Kreitner said are "very detailed, deeply operational and deep in the weeds." Progress has been "enormous," according to Kreitner. He said a number of case studies demonstrated that a company that scans its system with a vulnerability scanner A vulnerability scanner is a computer program designed to search for and map systems for weaknesses in an application, computer or network. Step 1, typically the scanner will first look for active IP addresses, open ports, OSes and any applications running. and implements the center's benchmarks would eliminate more than 90% of its vulnerabilities. But the insurance industry's adoption of the benchmarks so far has been very slow even though the center's services are free. Kreitner said the insurance industry's embrace of the benchmarks is key to encouraging widespread adoption. Tracey Vispoli, worldwide manager of financial fidelity in the Chubb Group's Department of Financial Institutions, said she buys into the concept of best-practices standards, but she doesn't believe there is yet a set of standards the United States and the rest of the world will uniformly adopt and consistently update. Also, someone will have to be the owner of the standards and be responsible for updating them, she said. "The federal government could fill that role, but it wants us to handle our own exposure," she said. "Absent mandates, some will do so, and some will not. There's really no teeth behind standards if you're not forced to follow them." Aaron Latto, e-commerce underwriting director with the St. Paul Cos. Global Technology Underwriting Unit, said the idea of insurers using generally accepted standards for underwriting "has a lot of promise" globally. "We try to keep track of and understand best practices, but we don't have a unified set of standards at this point," he said. "Part of the hesitation is that we want to make sure we wind up with the right set of standards. Since some aspects of Internet security are very technical, a standards body doesn't want to be too specific because things change, but it doesn't want to be too general, either." Steven H. Haase, CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board. of InsureTrust.com, noted that insurers tend to impose only minimum standards for any line of insurance. His company works with sellers and manufacturers of cyber-risk insurance as a wholesale program administrator. "Insurers are in the business to generate the most premium that's profitable," he said. "If they took the path of eliminating risk, you'd stop buying the insurance. It's a balance." Haase said he learned that lesson in the first couple of years of InsureTrust.com's operation, when it imposed standards on clients only to see other companies rush in to offer coverage without those restrictions. And for all the protections high technology can afford, human weakness is likely to remain a vulnerability. "We find most companies have firewalls and other intrusion protections, but they don't know Don't know (DK, DKed) "Don't know the trade." A Street expression used whenever one party lacks knowledge of a trade or receives conflicting instructions from the other party. how to operate them, and they don't have programs for training employees," said Haase. "People still keep their passwords on sticky notes attached to their machines. And there's always human error." Developing best or minimum practices is a worthy goal, said Ty R. Sagalow, executive vice president and chief operating officer of AIG eBusiness Risk Solutions. "We're involved in a number of groups trying to do that," he said. "We're also a founding member of the Internet Security Alliance." AIG also contributes by offering to send a team of third-party experts to visit with an applicant. The team issues a 25-page report on the state of the applicant's cyber-security. The report is free, even if the applicant decides not to buy the coverage. Sagalow cited the federal government's efforts in its National Strategy to Secure the Internet. "We're especially encouraged that it says there is no technological silver bullet silver bullet - magic bullet to the problem of cyber-risk," he said. "Instead, it recognizes we must put together technology, people, process and insurance to manage the risk... When the president of the United States The head of the Executive Branch, one of the three branches of the federal government. The U.S. Constitution sets relatively strict requirements about who may serve as president and for how long. signs a document that says that, people listen." |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion