Cybercrimes Increase As Economy Falters

Traditional Business Insurance Policies Not Adequate for Cyber Exposure, Says I.I.I.

INSURANCE INFORMATION INSTITUTE 
Contact: Press Offices
New York: 212-346-5500; media@iii.org 
Washington, D.C.: 202-833-1580 

NEW YORK, February 23, 2009 — A weakening economy has exacerbated the problem of cyber-related crimes, causing millions of dollars in losses to businesses. Spamming, hacking, pinging and denial of service are just a few of the fraudulent cyber attacks that can cripple a business. Reliance on traditional insurance and information security to deal with these ever evolving risks is not enough, making cyber insurance critical to protecting businesses, according to the Insurance Information Institute (I.I.I.). 

“The surge in cyber crimes is enormous,” said Loretta Worters, vice president of communications with the I.I.I. “From email phishing scams, which attempt to trick a consumer into providing sensitive data to fake Web sites, to cyber hijacking, in which crooks use stolen usernames and passwords to filch online accounts, these schemes damage networks, data and computer systems as well as expose businesses to third-party claims.” 

The insurance industry has developed cyber insurance products to help businesses confront the growing number of network security risks that have the potential to shut down a network, destroy vital data or steal customer information. As the public becomes more concerned about privacy, businesses have become more aware that they are liable in the event the personal information of their customers is compromised. However, not enough businesses are properly insured. 

According to a recent Ernst & Young survey of 1,400 organizations in its 2008 Global Information Security Survey, only 13 percent of survey respondents currently have insurance coverage for the losses resulting from a cyber attack. In addition, only 20 percent of respondents have a documented strategy for information security and less than half perform formal risk analyses to direct information security activity. 

Losses from cyber crimes can be considerable and are on the rise. The 2007 Computer Security Institute’s Computer Crime and Security Survey noted that 46 percent of companies had experienced one or more security incidents in the past 12 months; the average reported loss increased to $350,424 from $168,000 the previous year. 

“Regardless of product line or service, virtually all major businesses today rely on computer networks to function," said Worters. “But they need to recognize that network security risks are fundamentally different than traditional physical risks like fire. If a hacker or virus shuts down a network or destroys computer software or data, most businesses today have either limited or no coverage. Insurers have excluded these risks from standard commercial policies and are now offering stand-alone coverage. Whether your company conducts business over the Internet, stores customer data on servers or simply uses email, it is at risk.” 

Specialized cyber-risk coverage is available primarily as a stand-alone policy. Each policy is tailored to the specific needs of a company, including the technology being used and the level of risk involved. Both first- and third-party coverages are available. 

Types of Coverage

• Loss/Corruption of Data – Covers damage to, or destruction of, valuable information assets as a result of viruses, malicious code and Trojan horses.
• Business Interruption – Covers loss of business income as a result of an attack on a company’s network that limits the ability to conduct business, such as a denial-of-service computer attack. Coverage also includes extra expenses, forensic expenses and dependent business interruption.
• Liability – Covers defense costs, settlements, judgments and, sometimes, punitive damages incurred by a company as a result of: -Breach of privacy due to theft of data (such as credit cards, financial or health related data); -Transmission of a computer virus or other liabilities resulting from a computer attack, which causes financial loss to third parties; -Failure of security which causes network systems to be unavailable to third parties; -Rendering of Internet Professional Services; and -Allegations of copyright or trademark infringement, libel, slander, defamation or other “media” activities in the company’s Web site, such as postings by visitors on bulletin boards and in chat rooms. This also covers liabilities associated with banner ads for other businesses located on the site.
• Cyber Extortion – Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.
• Crisis Management – Covers the costs to retain public relations assistance or advertising to rebuild a company’s reputation after an incident. Coverage is also available for the cost of notifying consumers of a release of private information, as well the cost of providing credit-monitoring or other remediation services in the event of a covered incident.
• Criminal Rewards – Covers the cost of posting a criminal reward fund for information leading to the arrest and conviction of a cyber criminal who has attacked a company’s computer systems.
• Identity Theft – provides access to an identity theft call center in the event of stolen customer or employee personal information.

What Does Cyber Insurance Cost?

Depending on the policy, coverage can apply to both internally and externally launched attacks, as well as viruses that are specifically targeted against the insured or widely distributed across the Internet. Premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corporations desiring comprehensive coverage. As part of the application process, some carriers offer an online and/or on-site security assessment free of charge regardless of whether the applicant purchases the insurance. This is helpful to the underwriting process and also provides extremely valuable analysis and information to the company’s chief technology officer, risk manager and other senior executives. “Companies spend billions of dollars annually setting up firewalls, buying anti-virus software but that’s not enough,” noted Worters. “Purchasing cyber insurance is another layer of protection to safeguard your business.”

The I.I.I. is a nonprofit, communications organization supported by the insurance industry.