Printer Friendly

Getting a Grasp On E-Commerce Risks.

Limited claims history makes it difficult to underwrite new e-commerce risks and to anticipate the claims they will produce.

When new exposures appear, insurance companies traditionally move to fill the void by creating products to address those new risks. The need for new initiatives persists in this technological age.

But opinions differ on how well the industry is responding to these emerging high-tech risks. Some contend that insurers are lagging in the development of a sufficient range of products to address e-commerce and Internet risks. This may be due, in part, to questions about the need for specialized insurance above and beyond traditional property contracts.

"My sense is that companies are trying to see to what extent their current contract already provides or denies coverage," said Robert Meyers, executive vice president, business development, for GAB Robins, which offers independent loss adjusting, investigative services and claims administration to insurers. "At the same time, they're also researching the possibilities of offering specific coverage in the e-commerce environment."

What some see as a slow response may reflect the challenges of underwriting risks in an arena that has no track record and the difficulty of accurately quantifying losses on anticipated claims in largely unexplored cyberspace. But others say the real problem is a hesitant market. To the people who buy insurance for corporations, it's not always clear if general liability policies will handle certain cyber-risks or if additional coverages will be required.

"It's fairly sophisticated to understand, and you really can't write a product effectively unless everyone understands the risk that you are insuring," said attorney Wayne Glaubinger of the national law firm Mound, Cotton, Wollan and Greengrass. "And that's the most difficult part of e-commerce--getting a handle on the risk which, in the computer age, changes every day," Glaubinger said.

"There's a lot of confusion about what is and isn't covered," agreed Kae Lovaas, vice president, technology underwriting, for St. Paul Cos., St. Paul, Minn. "Risk managers are wondering, 'Are there gaps or overlaps?'"

St. Paul Cos., which has dedicated a unit to technology business for 17 years, recently released a survey indicating that many U.S. and European corporations take great pains to protect computer security but are less prepared for new liability risks associated with information technology and e-commerce.

"I think that the insurance companies are responding very favorably to this issue," Lovaas said. "There has to be a demand before a product is marketed. Our survey results show that risk managers haven't yet seen a need to come to the industry."

She said the way the Y2K problem was tackled in the late 1990s, when companies were investing large amounts of time and money into revamping computer systems for the changeover to the year 2000, is a valuable lesson for the e-commerce era.

To address the Y2K problem, corporations brought together their risk-management departments with their information technology departments. "The reality is that those two departments don't talk, don't speak and don't work well together," Lovaas said. "But they did well at Y2K. In general, people say 'Y2K--no big deal, nothing bad happened. Nothing happened because the result was close work between two important parts of an organization."

Lovaas said this type of cooperation would work for e-commerce challenges, too. "If we can bring together the IT department, the legal department and the risk managers, we have an effective model for a solution to this problem," she said.

Gail Bonitati, director of KPMG insurance claims services group, said the insurance industry still needs to educate itself to the types of risk associated with e-commerce. The liability end is pretty well covered, she said, pointing to specialized policies like Marsh's cover for intellectual property loss. "The real discussion is on the property side and how traditional coverage and notions are going to apply," she said. "Property insurance is a perfect opportunity to look at coverage and define where the exposures are and where more insurance is needed."

For their own protection, insurers also should look at their books of business and determine if the bulk is "traditional brick and mortar or all the way up to dot-corns, which have no buildings and do business over the Net," she said. "They can do this by doing an exposure analysis--looking at their book of business to see the exposure they have."

Bitten by the Bugs

The perils of e-commerce were highlighted in 2000 with hacker attacks on Yahoo!, eBay and other sites, followed by the global spread of the "Love Bug" and "Melissa" viruses. The "Love Bug" caused an estimated $10 billion in damage worldwide, and "Melissa" wreaked $80 million in damage.

These attacks created a greater awareness among businesses that the Internet is a vulnerable channel, and they jump-started interest in specialized policies.

"When we look at the activity that occurs within our office after a 'Melissa' or a 'Love Bug,' the phone rings off the hook," Lovaas said. The Insurance Information Institute recently estimated that insurers can expect to see more than $2.5 billion in e-commerce liability premium by 2005.

Only two days before the "Love Bug" struck, Lloyd's released a survey showing that 70% of more than 250 insurance managers, brokers and other insurance professionals expected e-commerce to be the major emerging risk of the new century.

In their report, "Insurance Risks in the Computer Age," attorney Glaubinger and his partner Jeffrey Weinstein note that as the Internet and e-commerce become "the predominant driving forces of the United States and world economies, they also pose the greatest insurance risk of the new century."

Since the report was issued in late 2000, more e-commerce insurance products have hit the market. Much of this can be attributed to the viruses that cropped up last year, Weinstein said.

But it's difficult to quantify the magnitude of the problem, which can involve a company's finances and reputation, Lovaas said. "Companies are not really open to owning up to times when their sites have been hacked, times when their data has been corrupted, or when they've been sued on a legal liability basis for intellectual property infringement, privacy issues and those kinds of things," she said.

Meyers of GAB Robins said his firm is building expertise in e-commerce claims. After numerous discussions with clients, policyholders and insurance companies, the carriers and GAB Robins continue to wrestle with understanding these risks and quantifying them, Meyers said. "We're working parallel to or a half-step behind the carriers," he said. "Our job is to quantify and adjust claims once the event occurs."

Evaluating Exposure

But the industry does have some underwriting history to fall back on in evaluating e-commerce and Internet perils. For one thing, denial-of-services coverage is analogous to business-interruption coverage, Lovaas said. Also, intellectual-property exposures, which have been underwritten for major corporations for years in television and print advertising, can now be applied to the Internet.

"Most large brokerage houses have developed manuscript policies rather than standard form coverage," said Don Corrigan, executive general adjuster for GAB Robins. "In that coverage, there's always been valuable papers and media coverage. Now this moves into Web sites. Those coverages--media and loss of paper--are broader than normal property coverages."

Andy Williams, general manager of IBM's Global Insurance Industry, estimates that the world has seen less than 5% of what the Internet eventually will bring to commerce and society, so it's difficult to predict exactly what will happen in the future. Still, he added, there are a lot of general trends that the industry can interpret. "You can make sensible predictions about the numbers of people connecting to the Internet and the volume of business over the Net," he said. "Where it gets more difficult is in determining what sort of business models will succeed."

Cal Slemp, director, global trust and e-commerce, IBM Global Services, sees initial e-commerce risks as fairly broad in scope. He said the underwriting community has focused attention on things like theft, casualty, fires and fraud as reasonable analogies to the electronic world. "Most e-commerce companies are looking for the same kind of coverages they expect in the physical world, in addition to the new liabilities created by the networked environment," Slemp said.

IBM will go in and assess an insured's business systems, policies and procedures to better help it understand its risks. "With that assessment information, insurers can better determine the extent of risk and the appropriate rates," Slemp said, "We consider the nature of the potential risk--is it banking, retail or health care--because industries have different needs. We look at the applications being used, what security measures are in place and where there is room for improvement."

Slemp thinks the industry is in an evolutionary period. "Whenever you are doing business in a new environment--in this case the Web--there's always a sense of risk", he said. "There also are tremendous opportunities. The success of electronic commerce depends on trust, and today's insurers, their clients and IBM are helping to build that trust by establishing the kind of safeguards we have long expected in the bricks-and-mortar world."

To illustrate the complexity of e-commerce claims and uncertainty over triggers of loss, Corrigan of GAB Robins pointed to a claim he is working on that involves a retail company with 50 computer sites on its network. The firm, which keeps all the details on its properties in its computer system, had its software and hardware serviced by an outside company. But after a virus invaded the retail company's system, several problems developed.

"Ultimately, after six weeks, they changed service companies, and the new firm cleaned the system and rid it of the virus," he said. "The issues now are: When did the event take place? Did the insured mitigate the loss? Was there even a loss that took place? And if there was, what was damaged?"

Down Time

Meyers said he expects the area of e-commerce risks eventually to evolve into "a business-interruption type issue." In their report, Weinstein and Glaubinger discuss business-interruption coverage and conclude that it may be the most vital aspect of insurance solutions for e-commerce companies.

"If a Web site that conducts sales for a company, either a dot-com company or an existing brick-and-mortar company, goes down, that company is going to suffer a business-interruption loss, depending upon how long the virus knocks the system out," Weinstein said, adding that some of the issues that have to be resolved concern measuring the quantum of the loss. "For instance, with these new policies, a consideration is going to be how to calculate the down-time deductible," he said. "In most business-interruption policies, a certain number of days is usually considered to be a deductible, and coverage kicks in after a certain period.

"In addition, business-interruption losses typically are quantified by looking at historical sales data," Weinstein said. "With dot-com companies, because they're so new, they're not necessarily going to have historical data."

Also, because of the growth of some of these dot-com companies, the historical data is going to change and might not be a reliable indicator, he noted. And the more traditional companies that are now doing business on the Web are not going to have historical data, either, Weinstein said. "So the business-interruption determination is going to be based in large part on projections, and it is going to be up to the insurance companies and the accountants that end up quantifying these losses as to how best to go about doing that."

But unlike the scores of Y2K remediation claims that arose after Jan. 1, 2000, e-commerce risks have yet to spawn a big surge of claims under traditional first-party insurance contracts.

"We haven't seen any of these remediation or sue-and-labor type claims for the most part," Weinstein said.

Glaubinger said his firm has heard from policyholders' lawyers who think there is coverage under those types of contracts. But he said he was not aware that insurers had seen a flood of such first-party claims as they have in some other areas in the past. "As of now, I think it's a policyholder argument to try to fit this type of claim under a traditional first-party contract."

Most agree that it's simply too soon to predict what the scope of e-commerce claims activity might be. For one thing, recently launched e-commerce contracts are still too new to generate many claims.

Property Damage

In the meantime, the industry is awaiting developments in an Arizona case, American Guarantee & Liability Insurance Co. vs. Ingram Micro Inc., which broadens the definition of property damage as it relates to computer crashes. The concerns are that this case could spur more e-commerce claims in light of the judge's precedent-setting decision.

The case involves a wholesale distributor of microcomputer products that experienced a power outage on Dec. 22, 1998. The outage, which apparently was caused by a ground fault in a fire-alarm panel, shut down all of the electronic equipment, including computers and telephones, at Ingram's data-processing and database-maintenance operations in Tucson, court papers said.

Power was restored to the data center within a half-hour, and Ingram's three mainframe computers, which had lost all of the programming information stored in their random access memory, were up and running within 90 minutes. But Ingram was unable to conduct business until employees could restore network connections between the data center and six other company locations in the United States and Europe, a process that took eight hours, court papers said.

American Guarantee had denied Ingram's claim under its property policy, with the insurer arguing that the policy language specified that coverage was available only for physical damage to property. But Ingram offered a broader definition, and the court ruled in its favor.

"At a time when computer technology dominates our professional as well as personal lives, the court must side with Ingram's broader definition of 'physical damage,' "said Senior U.S. District Judge Alfredo C. Marquez. "The court finds that 'physical damage' is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality."

The case is pending in District Court in Arizona.

"To our knowledge, the Ingram Micro decision is the only one of its kind to this point," Weinstein said. "So I think most people in the insurance industry are considering it to be an anomaly until other courts, if it happens, pick up on it."

Insurers think the decision will not survive appeal. But if the judge's ruling is upheld, carriers likely would spring into action, rewriting their policy contracts to narrow the definition of "physical property" and exclude any form of e-commerce coverage.

"We are watching this case very closely," Lovaas said, "very closely."

Survey: Businesses Unprepared for E-Commerce Perils

While risk managers view technology risks as very important, many don't fully grasp what these perils are, and few of their companies have structures in place to manage cyber-risks, according to a survey of nearly 1,500 top executives in major corporations in the United States and Europe.

The survey, released by global insurer St. Paul Cos., also found that risk managers think their current insurance program is only "somewhat adequate" in terms of protecting their companies against technology risk.

"We wanted to find out how well risk managers understand and identify their company's technology exposures and how effectively they manage the risk and the tools they use to do so," said David Monfried, vice president of St. Paul Cos.' corporate communications, during a simulcast news conference in New York and London. "The responses we received were surprising, often startling. And we think they should serve as a real wakeup call for any company conducting business on the Internet today, any company with a database accessible via the Internet today."

Kae Lovaas, vice president of technology for St. Paul Cos., said the survey indicated that companies rely chiefly on systems-based protection, such as anti-virus software and computer fire walls to prevent losses from e-commerce risks. But she noted that while security breaches are major concerns and have dominated the headlines, "the liability risks associated with e-commerce and the Internet pose equally significant worries for risk managers. Indeed, liability concerns are harder to quantify but just as dangerous as the security risk that companies face."

She listed some of the key e-commerce risks to modern companies as computer fraud, hackers, misappropriation of intellectual property, defamation and false advertising, professional liability and employment liability.

"In the age of e-commerce, every employee with a computer and a modem is creating Internet risk for their corporation," Lovaas said.

According to the survey, technology risks are the No. 1 concern among European companies and the No. 2 concern among U.S. companies, second only to employment liability risks. But four in 10 risk managers described themselves as having only a "fair" to "poor" understanding of how e-commerce and Internet risk impact their companies, the survey said.

"What's more, the U.S. brokers are skeptical of their clients' preparedness," Lovaas said. "Nearly half of the brokers surveyed said that their clients were only doing a 'fair' job of managing e-commerce and Internet risk and another 29% were actually doing a 'poor' job."

Also significant, she said, is that the vast majority--75% of companies--have no formal process in place to monitor and manage e-commerce risk. Of those that have a formal process, almost half consider it to be ineffective, she said.

A bright spot in the survey, however, is that one industry--financial services, particularly in the United States--is doing a better job in the technology-risks arena, Lovaas said. "Financial-services companies are ahead of the pack in terms of awareness and identification of the risks," she said. "They also are more likely to proactively monitor and manage the risks at their companies."

Other Survey Findings:

* About half, or 52%, of U.S. companies and two-thirds or 67%, of European companies have inventoried and quantified their technology exposures, considered a basic step in risk management.

* Employees generally are the least informed about technology risks. About 75% of U.S. executives and 60% of European executives said their employees had only a "fair" or "poor" understanding of technology risks. But risk managers rated their information technology departments as the best-informed, followed by top management.

* Only 60% of U.S. companies and 56% of European companies had implemented employee-training programs as part of their drive to manage technology risk.

"The big picture that we see on this issue is not a good one," Lovaas said. "It's absolutely clear that companies are underprepared to deal with this problem. Compared to the traditional property-liability risk, companies are poorly prepared for the risk of doing business on the Internet."

According to the survey, most risk managers acknowledge that they have gaps in their insurance coverage for this risk and a significant percentage indicates that they have not even analyzed the necessary exposures, Lovaas said.

She recommends that risk managers take the lead and partner more effectively with front-line management. "Besides the technology solutions, they have to help their companies establish management practices that can impact the behaviors that often lead to losses," Lovaas said. "We believe this survey provides risk managers with the ammunition necessary to go to the top executives" and plead their case, she said.

The survey, conducted by telephone, personal interviews and with focus groups, represents the opinions of 1,500 risk managers, chief financial officers and others who are responsible for purchasing property/liability insurance in major corporations with annual revenues of $250 million or more. It was conducted by the NewYork-based research firm of Schulman, Ronca & Bucuvalas Inc.

Detailed information on the survey is available on St. Paul's Web site at

Policy Parade

Recognizing the dramatic increase in the number of companies using the Internet to conduct business, some insurers have responded with new products intended to fill the e-commerce gaps in standard policies.

An example is commercial property/casualty insurer Crum & Forster, which launched EComLiability, a companion product to its inland marine EComProtector policy, in January. EComLiability expands traditional liability coverages to protect businesses from emerging risks created by use of the Internet and e-commerce activity. The coverage territory is worldwide because of the global nature of the Internet, and the property damage definition is expanded to include injury to Web site content and information of others in the insured's care, custody or control. It is an optional endorsement to Crum & Forster's comprehensive general liability coverage form.

"I think you'll see more products of this nature in the marketplace in the next few years, considering the exposure that these companies will have." said John A. Traynor, vice president of marketing. "The industry is going to have to provide for this."

Other examples of insurers' reactions to e-commerce risks include the following:

* Marsh Inc. offers NetSecure in conjunction with American International Group Inc., Zurich Group's Fidelity & Deposit Cos., Chubb Corp. and underwriters at Lloyd's. This product covers areas of risk that include privacy, content and software code infringement; attacks; viruses; programming errors; theft of information; destruction; alteration or disclosure of data; security breaches; and fraud.

* Lloyd's e-Comprehensive product insures against crime risks such as extortion--when someone threatens to introduce a virus into a computer system. The policy pays for a risk-management firm and for the cost of surveillance as well as business-interruption losses caused by a cyber-crime. e-Comprehensive also covers third-party liability for such risks as libel, defamation, slander and trade infringement.

* Media/Professional Insurance, a managing general agent for Gulf Insurance Group, a subsidiary of Travelers, offers Cyber Liability Plus, a third-party liability product that provides coverage for harm caused by an insured's negligence. For example, a service firm that works on a company's computer system and is responsible for seeing that cyber-attacks are filtered out would be liable for negligently servicing the software if something like the "Love Bug" invaded and harmed that system.

* St. Paul Cos. recently expanded its technology business unit, adding 33 staff members, including experts in e-commerce security and intellectual property law. Previously, the unit employed 187 people. The company said the expansion was needed to address new market opportunities created by the Internet, wireless communications and e-commerce. In January, St. Paul said two of its technology products--Media Liability and Networker--would be offered to nontechnology companies. Media liability is an integrated personal injury, advertising injury and media injury liability insurance agreement. Networker provides coverage for certain types of computer fraud, denial of service, telecommunications theft, ransom for computer-related threats, post-loss mitigation expenses and public-relations activity.

* American International Group formed AIG eBusiness Risk Solutions in November. The new division's role is to analyze new e-commerce risks as well as design and deliver insurance solutions for the business-to-business market. Its products will address Internet risks, including network security, credit, payment and transit. In January, AIG said its American International Cos. was introducing the AIG netAdvantage program, a series of liability coverages based on the degree to which an insured does business on the Internet.
COPYRIGHT 2001 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Comment:Getting a Grasp On E-Commerce Risks.
Author:Bowers, Barbara
Publication:Best's Review
Article Type:Brief Article
Geographic Code:1USA
Date:Mar 1, 2001
Previous Article:Rethinking the Rules.
Next Article:Keeping Faith.

Related Articles
TSI Software Announces Data Transformation Solution for Microsoft Site Server 3.0 Commerce Edition.
Ernst & Young Supports Microsoft e-Commerce Strategy With New Service That Gives Clients Fully Functioning Web Business Presence in Less Than 30 Days.
Surebridge Teams With Ariba to Deliver Business-to-business eCommerce Solution to Mid-Market Companies.
NewsEdge Unveils eContent Publisher; Powerful New Tool Enables Customization of High Impact News on Web Sites, Intranets and Extranets.
New Report Reveals: Global B2B eCommerce to Reach $2.7 Trillion by 2004; eMarketer Raises Estimates as Old Economy Firms Drive eCommerce.
Ecommerce confidence high amongst UK SMEs. (IT News).
Wine ruling a setback for consumers.
Giant slayer: little-known GSI Commerce puts the hurt on Amazon.
IT news and products; Actinic finds ecommerce in 2007 is more profitable & less expensive.

Terms of use | Privacy policy | Copyright © 2018 Farlex, Inc. | Feedback | For webmasters