NEW YORK, August 13, 2003 - As companies become more dependent on their computer networks for vital data, business continuity and communications, their vulnerability to cyber catastrophes increases.
"Unfortunately, most companies are operating in a 21st century threat environment with 20th century insurance coverage," states John Spagnuolo, spokesperson for the Insurance Information Institute (I.I.I.). "The dynamics of risk management have changed with technology."
The insurance industry has developed cyber insurance products to help businesses confront the growing number of network security risks that have the potential to shutdown a network, destroy vital data or steal customer information. For example, as the public becomes more concerned about privacy, businesses will become more aware that they are liable if their customers' personal information is compromised. However, only a small number of businesses are properly insured.
According to a recent Ernst & Young survey of 1,400 organizations in its 2003 Global Information Security Survey, only seven percent of respondents knew they had a specific insurance policy geared to this network and cyber-risk. Nearly a third (33 percent) thought they had coverage they actually lacked. Another 34 percent knew they lacked such coverage, while 22 percent didn't know the answer. Ernst & Young characterized the fact that only 7 percent of surveyed companies had cyber insurance as "astonishingly low, given the risk environment and the fact that general policies don't provide such coverage."
Regardless of its product line or service, virtually all major businesses today rely on computer networks to function," adds Spagnuolo. "But they need to recognize that network security risks are fundamentally different than traditional physical risks like fire. If a hacker or virus shuts down a network or destroys computer software or data, most businesses today have either limited or no coverage. Insurers have excluded these risks from standard commercial policies and are now offering stand alone coverage. Whether your company conducts business over the Internet, stores customer data on servers or simply uses email, it is at risk."
In fact, the number of incidents reported rose by 377 percent between 2000 and 2002, increasing from 21,756 to 82,094, according to the CERT® Centers at Carnegie Mellon University's Software Engineering Institute, which focuses on ensuring the integrity and survivability of computer networks. An incident may involve one site or possibly thousands of sites. The CERT® Centers also indicate that the number of potential system vulnerabilities has increased by 378 percent, increasing from 1,090 in 2000 to 4,129 in 2002. Possible effects of a cyber attack include denial of service, unauthorized use, loss/misuse of data and loss of public confidence regarding an organization.
The Computer Security Institute (CSI), in cooperation with the Computer Intrusion Squad of the San Francisco Federal Bureau of Investigation (FBI), released the results of its 2003 Computer Crime and Security Survey. More than 250 respondents, which included computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities, reported over $200 million in losses. According to CSI, the findings confirm the threat from computer crimes and other information security breaches continues unabated.
"The trends the CSI/FBI survey has highlighted over the years are disturbing," states Chris Keating, CSI Director. "Cyber crimes and other information security breaches are widespread and diverse. Fully 92 percent of respondents reported attacks."
The number of intruders grows each day and they are quite different from those of 10 years ago. A hacker does not have to be a sophisticated programmer to be able to harm a computer system. Intruders can use the Internet to educate themselves, and now have access to easy-to-use tools which allow them to do large amounts of damage in short periods of time.
"Intruders could be professional criminals, terrorists, industrial spies, teenagers and perhaps even employees," emphasizes Spagnuolo.
Cyber-Risk and Homeland Security
Securing the nation's cyberspace is also a critical element of homeland security, a strategic challenge that requires commitments by both the public and private sectors.
According to the National Strategy to Secure Cyberspace, released by the Bush Administration earlier this year, "Cyber attacks on U.S. information networks can have serious consequences such as disrupting critical operations, causing loss of revenue and intellectual property or loss of life?There is no special technology that can make an enterprise completely secure. No matter how much money companies spend on cybersecurity, they may not be able to prevent disruptions caused by organized attackers. Some businesses whose products or services directly or indirectly impact the economy or the health, welfare or safety of the public have begun to use cyber-risk insurance programs as a means of transferring risk and providing for business continuity."
"The insurance industry can play a pivotal role in securing cyberspace by creating risk-transfer mechanisms, working with the government to increase corporate awareness of cyber-risks and collaborating with leaders in the technology industry to promote best practices for network security," says Richard Clarke, former chairman of the President's Critical Infrastructure Protection Board.
By writing policies for network security exposures, the insurance industry is providing:
"Traditional insurance policies such as standard property and commercial general liability insurance do not adequately deal with the risks of a cyber attack or network security failure," cautions Spagnuolo.
Specialized cyber-risk coverage is available primarily as a stand-alone policy. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved. Both first- and third-party coverages are available, including:
Depending on the policy, coverage can apply to both internally as well as externally launched attacks as well as viruses which are specifically targeted against the insured or widely distributed across the Internet. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corporations desiring comprehensive coverage.
Risk Prevention Services
As part of the application process, some carriers offer an on-line and/or on-site security assessment free of charge regardless of whether the applicant purchases the insurance. This is helpful to the underwriting process and also provides extremely valuable analysis/information to the company's chief technology officer, risk manager and other senior executives.
"Thousands of policies have been written for cyber coverage since the late 1990s," according to Robert Hartwig, chief economist for the Insurance Information Institute. "Policies written for cyber insurance are likely to reach $2 to $3 billion within the next four to five years as companies recognize existing gaps in their coverage."
cent legislation and regulation such as the Gramm-Leach-Bliley Act (GLB), Health Insurance Portability and Accountability Act (HIPAA) and California's Security Breach Information Act (SB 1386), effective 7/1/2003, are also expected to substantially increase potential legal liabilities in this area, increasing the need and demand for cyber-risk insurance coverage.