Deleting the risk: Hackers invading corporate Web sites by using more sophisticated techniques fuel the market for cyber-risk insurance. (Cyber-Risk: Technology).
The problem appears to be widespread. Of those responding to the "2002 Computer Crime and Security Survey," 90% said they had discovered computer security breaches within the last year. The survey, conducted by the Computer Security Institute and the FBI's San Francisco field office, also found that 80% of respondents suffered financial losses due to computer breaches.
The recent hacking of Ford Motor Credit Co.'s computer database illustrates the potential loss and devastation present in cyber-risk. Entering through a database operated by credit-reporting agency Experian, hackers downloaded the Social Security numbers and addresses of 13,000 customers. This type of personal information can be used to apply for credit cards or mobile phone service. Both Ford and Experian could be sued for failing to keep confidential information out of the hands of hackers.
But as another recent survey indicates, buying Internet-related insurance still isn't top of mind with most corporate executives. A recent St. Paul Cos. survey of 251 risk managers of large corporations found that the majority are unprepared to assess Internet-related risks. Even though they expect the risks to escalate within the next two years, few risk and information-technology managers surveyed said they would consider adding insurance coverage. Instead, risk managers are relying on their company's information-technology investment to prevent security breaches and existing insurance policies to cover losses if a breach occurs.
This practice is folly, and many insurers are clarifying their commercial property/casualty policies to separate coverage of tangible and intangible property, said David O'Neill, vice president of e-business solutions for Zurich North America. "Computer code and information is intangible. Insurers never underwrote or priced for these new exposures, so now many are sending out clarification notices to policyholders advising that code-related exposures are not covered under traditional insurance lines. The resulting question from many insureds is that if it's not covered, how do I get it?'" he said.
Intangible assets are becoming a big issue for businesses. At the same time that insurers are excluding intangible assets from coverage, businesses are being directed by the Financial Accounting Standards Board to state the value of those assets. The value of data and computer code needs to be quantified to measure its portion of a business's market value. Corporations, such as pharmaceutical companies, are discovering that intangible assets are a huge percentage of their market capitalization and are beginning to look at the risk-transfer issues involved.
Intangible perils are beginning to damage intangible assets. For example, a virus could wipe Out crucial data. Since most commercial property/casualty policies have no definition for "hacker" or "denial of service," there is room for a new product to cover those risks, said Michael Flanagan, a cyber-insurance broker for Arthur Gallagher.
Flanagan compares the slow acceptance by upper management of cyber-risk coverage to the growth pattern of another niche market--employer practices liability insurance. Conning & Co. estimates that cyber-risk insurance accounts for $50 million to $100 million in premium annually, but that could grow to $6 billion by 2006. Only a handful of insurers write the coverage. American International Group has snared a 70% market share, with about 1,200 clients. The remaining 30% includes the London market, Zurich North America, Chubb, St. Paul Cos. and Liberty Mutual.
The Conning report, "E-business Insurance Products--Emerging Market or Specialty Coverage?," concludes that there are many questions remaining about the short-term and long-term viability of e-business insurance, such as how quickly the market will grow and concerns about how insurers will manage the global-scale risk for Internet-related catastrophes. "F-business is redefining the what, when, where, how and how much of business-loss exposures. When things go wrong on the Internet, they do so at lightning speed. Devastating losses can hit businesses anywhere in the world," said Clint Harris, a Conning vice president and author of the study.
One of the major players in the market, Zurich, warns that to be successful in this niche market, insurers must have a committed infrastructure and a dedicated practice, because the potential losses are so great and, to some extent, are changing every day. "History is being created every day in this line. You're playing with catastrophic loss; one hit can have a major effect," O'Neill said.
Zurich's experience in this line reveals a general weakness in corporate technology-security practices. "On the outside, they are hard and crunchy, but their inside is soft and gooey:' he said.
Zurich's F-Risk Edge product: offers a cafeteria-style selection of coverage options that clients can choose from to build the cyber-insurance coverage they need. Among the options are protection from unauthorized access to or use of data or software, libel, slander, copyright infringement and public disclosure of information. E-Risk Edge also picks up where traditional coverage leaves off. Most commercial policies don't cover the value of stolen intellectual property, software or data. E-Risk Edge reimburses policyholders for the value of the data, money, securities, software and computer resources lost as a result of a covered e-business incident.
Liberty Mutual, which launched its cyber-risk product about five months ago, said although there isn't much of a demand for Internet coverage right now from most corporate "users" of the Internet, it is important to build an infrastructure to meet future demands for the product. "We're gearing up for small to medium-size, old-economy companies that are just becoming cognizant of Internet and network exposures," said Carl Pursiano, vice president of technology and Internet development, Liberty Mutual. "Most clients aren't there yet. The most interest is from technology company service providers." Liberty's product includes coverage for wrongful acts on the Internet, such as copyright infringement or plagiarism; errors and omissions in relation to designing a Web site or conducting e-commerce and technical service; and wrongful acts stemming from consulting, system analysis and data processing.
As the sophistication of hackers and malicious codes increase, financial losses from cyber-attacks continued to rise for the third consecutive year, according to the 2002 CSI/FBI study. The most serious financial losses occurred through theft of proprietary information and financial fraud. KPMG's Global Information Security Survey determined that the average direct loss of security breaches was $108,000, excluding employee downtime and reduced productivity.
The Computer Emergency Response Team operating out of Carnegie Mellon University reports that hackers implement advanced attack techniques that are more difficult to detect through anti-viral software and intrusion-detection systems. For example, hackers use techniques that hide the nature of the attack tool, causing information-technology departments to rely on laboratory testing and reverse engineering to rectify the problem. In addition, hackers are using automated attack tools that can vary their patterns on random selection and predefined decision paths, according to the CERT report. Hackers also are using new technology to blast through firewalls, and they are increasingly attacking key components of the Internet through denial-of-service incidents and attacks on the Internet Domain Name System, according to other findings from the CERT report. DNS is the directory to translate names to numeric addresses. An attacker can intercept the information on the directory, insert incorrect information and redire ct traffic from the legitimate site to a site under the hacker's control, according to CERT.
There are two kinds of hackers -- the professionals and "scriptkiddies," or teen-agers who have a lot of talent and want to see how far they can go--said hacker expert Kevin Ketts of Secure-Works, an intrusion-prevention company. The typical scenario is for a hacker to probe networks looking for vulnerabilities and run an exploit to get to the level of access he or she needs to get data. Ketts said hackers also gain access to companies through social engineering. They can call into a support center of a company and obtain a password or hang out where technology people from a large corporation hang out, get to know them and ask challenging engineering questions in an attempt to fish for information. While most corporations have a degree of security awareness, they don't know specifically what to do or how to manage it, Ketts said.
The financial-services and healthcare industries are particularly vulnerable to cyber-attacks. "These industries have what people want--credit-card and personal-health information," said Gallagher's Flanagan. Looking back over the seven-year history of the CSI's cyber-risk survey, its director, Patricia Rapalus, sees several truisms emerging. "There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement. Incidents are widespread, costly and commonplace," Rapalus said.
The Financial-Services Niche
Chubb's cyber-security product protects banks' "dirty little secret," the fact that the majority of financial institutions are being violated by hackers. The invaders are going after credit-card and Social Security numbers and, in some cases, getting as far as selling the stolen information on Internet sites or chat rooms. "Financial institutions are collecting large amounts of data and discovering it's worth something," said Tracey Vispoli, technology product manager for Chubb.
It is estimated that 30% to 40% of attacks are not reported to law enforcement because in a market where security is highly touted, no institution wants the competition to know it is exposed. "No one wants the secret of their vulnerability to be let out. You certainly wouldn't want to put money in a vault that wasn't locked," Vispoli said.
Banks particularly need protection because they are so dependent on technology. Even the smallest community banks are embracing technology to compete with the Fleet Banks and Citigroups. According to a 2001 Community Bank Technology Survey from the Independent Community Bankers of America, Internet banking is the leading technology decision this level of bank will face in the near future. This technological entrenchment is the reason regulators like the Federal Deposit Insurance Corp. and Office of Thrift Supervision are recommending that all banks obtain cyber-risk coverage.
A typical financial-services cyber-loss, Vispoli said, involves a hacker bridging the firewall of a community bank and extracting private customer information, which he or she threatens to publish if a fee isn't paid. "Banks then face the fact they allowed a breach of security, which could lead to a class-action suit brought by customers for not supervising their private information properly. Then you have a true loss of money," Vispoli said.
Chubb's cyber-risk product, which offers coverage to every segment of the financial-services market, insures in cases of extortion demands, vandalism of a Web site and alteration of its data, business interruption and virus attacks. Chubb uses a Network Security Risk Assessment on-site walk-through of each client's security protocols. It includes the personnel side of the security issue. Chubb asks about who has firing and hiring privileges, how employees are trained in security, whether they are instructed not to open attachments and who is approving third-party information.
Critical Security Issues Senior managers responsible for information security in a cross-section of the world's largest orgranizations -- those with gross revenue greater than $50 million -- were asked what they thought were the most important security issues facing their organizations. Viruses 22% Hackers 21% Remote Access Controls 17% Internet Security 10% Data Privacy 5% Education of Users 5% B2B Security When 5% Collaborating With Partners Internet Fraud 4% Theft or Damage to data 4% Other 7% Source: KPMG LLP Note: Table made from pie chart
RELATED ARTICLE: Wireless Communications: The Next Big Risk?
Using a homemade antennae, wireless card and a regular laptop, hackers--or college students out for fun--are cruising city streets tapping into valuable corporate information. The sensitive business data stored in wireless networks, laptops and personal digital assistants can be scooped up in drive-bys, because wireless security currently is only about 80% effective.
"The problem starts when companies forget that wireless communications is not restricted by the walls of the building," said Rick Shaw, president of CorpNet Security. Cyber-risk insurers, such as Zurich North America and Chubb, view wireless communication as a growing field that raises great concerns for risks.
Shaw advises users of wireless products to use all the security measures that are built into the devices and limit who can be connected to the network. "Even if using all security techniques, remember if the information is sensitive to make sure it's not going out over a wireless network," Shaw said.
Shaw offers the following tips to reduce risk when using a wireless network:
* Turn on encryption--most are using wireless encryption protocol. New versions are coming that will be more secure.
* Protect drivers and folders with strong passwords (not names or words).
* Change the default service set identifier or wireless network name.
* Isolate wireless traffic from primary network traffic.
* Establish and educate employees about policies for wireless usage at work and home, password requirements and regulatory usage requirements of Homeland Security and the Gramm-Leach-Bliley Financial Services Moderization Act.
|Printer friendly Cite/link Email Feedback|
|Comment:||Deleting the risk: Hackers invading corporate Web sites by using more sophisticated techniques fuel the market for cyber-risk insurance. (Cyber-Risk: Technology).(Brief Article)(Statistical Data Included)|
|Article Type:||Brief Article|
|Date:||Jul 1, 2002|
|Previous Article:||Rude awakening: insurance agents need to recognize the advantages and responsibilities of their independence and communicate them better to the...|
|Next Article:||Location, location, location: new threats of man-made catastrophes sharpen the need for mapping technology to assess density of exposures and...|