Printer Friendly

Does insurance really ensure computer security?

Does Insurance Really Ensure Computer Security?

In early November 1988, a college student at Cornell University in Ithaca, NY, loaded a program into his computer, which then entered the ARPANET communications network which is lincked to colleges and univesities across the United States. His program, which is referred to as a "computer tapeworm," shut down 6,000 computers and cost millions of dollars in lost computer time.

It is the job of the risk manager to know whether his company's computer system could survive such a loss, if such a loss can be prevented and, if not, Whether his company's present coverage can be modified to cover this type of loss. To answer these questions a risk manager should have some knowledge of basic computer terminology, understand how a computer tapeworm works and why it causes problems.

A computer tapeworm is an entire program the replicates itself throughout a computer or another related system. Tapeworms do not use the resources of other programs, but they can destroy or modify files, data and other programs. Tapeworms are written as separate, stand-alone programs, and do not hide inside other programs.


Computer viruses are secret instructions that replicate themselves by subverting existing programs. While viruses can be either helpful or harmful, risk managers need only concern themselves with those viruses that destroy or modify other programs, files, data hardware. Because viruses hide inside other programs, they are usually difficult to detect. For this reason, they are often referred to as trojan horses.

A trojan horse is a set of instructions that lies dormat in a computer system until it is implemented by an unsuspecting user. Once implemented, the instructions perform functions designed by the perpetrator, such as occupying empty space and overloading the system or destroying information.

A computer virus can be created by almost anyone with basic computer programming skills. The virus created can be humorous message that causes no problems, or it can result in a catastrophic system crash.

Viruses enter a computer after someone designs a program and copies it onto a floppy disk. Once the infected program is circulated throughout the system, the virus self-replicates and moves from computer system to computer system. The perpetrator may make copies of the virus program and give or sell them to friends and associates who, in turn, will sell them in good faith to their friends and associates. For more widespread ditribution, the originator may put the infected program on numerous computer bulletin boards, allowing people across the country to download the infected program into their system. The originator could also send the infected program to other users over various communication or electronic mail systems that sooner or later the virus will enter a corporation's computer system.

Potential problems

One of the worst problems a virus can cause is the destruction of data programs. Millions of dollars worth of information can easily be wiped out in a fraction of a second and the modification of data or programs can be equally as devastating. It would be disastrous if all a company's general ledger balances or accounts receivable balances suddenly read as zero or if incorrect management decisions were made based on faulty information supplied from an infected computer system.

The tapeworm discovered in November 1988 did not destroy or modify data or programs. It simply used up all the computer's power to send internal messages back and forth between different units. Because their systems were intentionally overloaded, people could not use them to perform their daily work functions.

Aside from damage, one problem common to all viruses is that an infected computer system must be disinfected, resulting in many hours of lost computer time, many dollars of in-house personnel costs and many dollars of outside consultant costs. Another potential problem is the reinfection of a system. Nine out of ten infected installations experience a relapse within a week of cleaning out the original virus with some organizations having to eradicate a virus as many as a dozen times only to have it reoccur.

Controlling Losses

The first line of defense against viruses is to prevent them from entering a company's system in the first place. Companies should only use programs and floppy disks which they know have not been contaminated. Never boot from a floppy disk other than the original, write-protected software purchased directly from the manufacturer or authorized distributor. Always use write-protect tabs to keep viruses off floppy disks and write-protected hard disks whenever possible.

It is always a good idea to do a full system backup before installing any new software. This will allow a company to recreate information should the new software be carrying a virus or other problems arise.

There are commercial software systems available to the general public which are specially designed to prevent viruses from entering a system. These so-called vaccination methods do prevent viruses, but the people who write viruses know what vaccination systems are available and can write their viruses to sidestep these safeguard.

Virus detection software is also available and although these product are highly reliable and difficult to circumvent, they only detect viruses, they do not prevent them, A company's risks manager staff should work closely with the data processing and security departments to evalute the available software solutions and develop an appropriate defensive strategy.

Insurance Coverage

Standard insurance coverage for losses due to computer viruses varies considerably as does its effectiveness. It is important to understand that almost all policies are different. To date, no losses caused by viruses have been presented to under-writers as a claim. Since no losses have been submitted, litigated or tested, no precedents have been established in this area.

When reviewing policies to determine coverage for losses due to tapeworms or viruses, several sections are critical. Property Insured and Property Excluded determine whether data, media and programs are covered. Perils Insured and Perils Excluded are equally important in determining whether a specifiv loss is covered. Valuation for individual data, media and programs must also be addressed in detail.

A typical data processing policy promises protection for ". . . covered property against all risks of direct physical loss or damage that occur while the agreement is in effect." It generally covers losses due to short-circuiting, electrical system blowouts, and electrical or magnetic field injury to covered equipment, data and media. Coverage generally includes" . . . any accidental erasure of data caused by electrical or magnetic injury, or operator or programmer error."

A data processing policy usually excludes dishonesty, or" any loss caused by fraud, dishonesty or a crime committed by you, a partner, your officers, your directors, or your trustees." It will cover" loss caused by willful acts of malicious intent by your officers, directors, or trustees if the acts are committed without a clear intent of obtaining financial benefit for that person or anyone else." It also excludes any extra expense or business interruption loss caused by programming errors or by intructing the machine incorrectly.

The policy can be extended to cover data defined as" . . . facts, concepts, or instructions in a form usable for communications, interpretation, or processing by automatic means," including computer programs." Data loss is insured for the actual cost of reproducing the data, up to the limit of the coverage that applies, provided the policyholder actually replaces or reproduces it. It is important to note that coverage for business interruption or extra expense losses, as a result of an insured loss, can be added to the policy at an additional cost.

A computer virus may get into your system and not destroy any data or programs. It may simply use up space so you can not use the system. Unfortunately, a data processing policy will not cover the losses that result, since no physical loss or damage has occurred to trigger coverage.

The destruction of data due to a computer virus would probably be considered a covered loss, because it meets the requirement of "physical loss or damage." A virus alters the magnetic properties of a computers' hard disk and other storage devices and the resulting change could be viewed as either a physical loss or physical damage. Some data processing underwriters have agreed on this interpretation. Conversely, the programming error exclusion may create some recovery problems under the business interruption or extra expense section of the policy, and if the perpetrator falls under the personnel category within the dishonesty excusion, the loss may not be covered.

Property Policies

Some property policies use standard Insurance Service Offices (ISO) forms, while others are manuscripted to broaden coverage. As with the data processing policy, property policies will probably not cover the losses resulting from a virus if no data is damaged or destroyed.

In ISO's basic "All Risk" Special Personal Property form, the property covered is defined as "Business Personal Property owned by the Named Insured and usual to the occupancy of the Named Insured" in the building. Accounts, bills and evidences of debt are all excluded by the form. The ISO form also has a section entitled, "Property Subject to Limitation," which states that computer programs and media are covered for specific perils.

Unlike the ISO form, a broad manuscript form covers "All Real and Personal Property owned, used or intended for use by the Insured." It should not have any property exclusions for media, data or programs and the valuation should be for the repair or replacement cost and include all costs to recreate, researcher gather information or data.

The best possible coverage would be to have the Perils Insured section cover "all risks of loss or damage." As in the data processing policy, either of these wordings might cover computer virus losses, but many property adjusters and underwriters do not agree.

Financial Institution Bond

The form 24 Financial Institution Bond will cover" ...loss of property resulting directly from ... damage ... or destruction thereof ... while the property is lodged or deposited within offices or premises located anywhere." Property is defined as "books of account and other records, whether recorded in writing or electornically." The bond provides coverage if either an employee or a non-employee is responsible for the damage or destruction. This means that the Financial Instituion Bond should cover most computer viruses that involve the destruction of or damage to data.

The problem lies in the valuation for records. The valuation states, "in case of loss of, or damage to, any books of account or other records used by the Insured in its business, the Underwriter shall be liable under this bond ... for not more than the cost of the blank books, blank pages or other materials plus the cost of labor for the actual transcription or copying data ..." It costs very little to copy electronic information, so this is obviously not full coverage for an insured loss and no business interruption or extra expense coverage can be provided.

The bond does cover "Loss of or damage to furnishings, fixtures, supplies or equipment within an office of the Insured ... resulting directly from ... vandalism or malicious mischief ... provided that the Insured is the owner of such furnishings, fixtures, supplies or equipment ... and the loss is not caused by fire." Since the bond does not define furnishings, fixtures, supplies or equipment, it might be construed that computer tapes or computer program may fall within this category. This assumption may be incorrect, however, since records are more specifically covered under a separate sectionn of the bond.

There is no guarantee tha existing insurance policy options will cover computer virus losses. Even if the peril is insured, a company may not be able to recover the full loss because of policy limitations and restrictions. The only way for a company to know how its insurance coverage would respond to these losses is to discuss them with its broker and underwriter beforehand. An agreement must be reached regarding the extent of coverage and the agreement must be well documented and endorsed onto the policies.

It is an understatement to say that computer viruses can create large problems for any organization. And for that reason, prevention will always be a company's best measure of control. Risk managers must review their organization's loss control mechanisms and make sure that coverage for losses due to computer viruses is specifically endorsed onto all insurance policies.
COPYRIGHT 1989 Risk Management Society Publishing, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Author:Ryan, Richard W.
Publication:Risk Management
Date:Nov 1, 1989
Previous Article:Computer systems on the brink of destruction.
Next Article:Eight steps to a disaster recovery plan.

Related Articles
Conquering computer viruses.
Are you exposed on the Internet?
Panda Software Says Potential Damage Due to Loss of D.O.E. Hard Drives Could Have Been Avoided!
Panda Software Says Potential Damage Due to Loss of D.O.E. Hard Drives Could Have Been Avoided!
PC Guardian Issues Reminder: HIPAA Guidelines Will Require Mobile Data Protection Too.
CA Forms Alliance With AIG eBusiness Risk Solutions to Offer Insureds eTrust Antivirus and eTrust EZ Armor Antivirus Internet Security Solutions.
Shanghai Medical Insurance Information Center Benefits From CA's Complete Line of eBusiness Management Solutions.
Top Spanish Insurance Company Manages 24 Million Lines of Code And 27,000 Programs With CA's Endevor.
Inside the black box: hurricane models undergo a rigorous screening process to pass muster in Florida. Other hurricane-prone states look to Florida...
The 'cyber' risks of outsourcing: outsourcing does not mean out of mind when it comes to cyberliabilities. Instead, companies with databases full of...

Terms of use | Copyright © 2017 Farlex, Inc. | Feedback | For webmasters