The CPA Journal

Cyber-Insurance Issues: Managing Risk by Tying Network Security to Business Goals ?

Cyber-crime is a catch-all phrase that encompasses hacking into computers, creating and spreading computer viruses, perpetrating online fraud schemes, and stealing trade secrets and other intellectual property. Cyber-crime lawsuits are on the increase, making insurance more important than ever.

Cyber-risk began as an industry-specific need, mainly for e-commerce and Internet-related companies, but has now become mainstream. New viruses, hackers, and denial of service (DoS) attacks—explicit attempts by attackers to prevent legitimate users of a service from using that service—alerted the public to the reality that computer network security and risk management issues are no longer the exclusive domain of companies doing business over the Internet. Risks are not limited to outside threats or Internet access. Many companies now realize that just having a website may carry additional, unforeseen risks.

Most incidents of cyber-crime go unreported because the individuals and businesses affected want to avoid the negative publicity. For example, Vivendi Universal’s Canal Plus, a European television station, alleged that News Corp’s NDS Group hacked its security system and then provided the security code to a website used by counterfeiters. These counterfeiters used the information to create illegal smart cards that enabled them to tap into Canal Plus’s pay-television service. Canal Plus claimed to have lost $1 billion in revenue due to piracy, and pointed the finger at NDS Group.

In general, traditional insurance—property, commercial liability, and crime—tends to focus on tangible damage to physical property and does not address cyber-risk. Traditional business interruption policies focus on damage caused by fire or flood and do not consider DoS attacks at all.

Companies such as AIG, Lloyds of London, and Zurich Insurance Group now offer such products in order to cover the gap left by traditional policies. Insurance companies may offer policies that combine both to small companies that have limited network security risks.

Cyber-insurance policies require higher premiums and deductibles because of challenges such as lack of quantifiable data on cyber-risk. Depending upon the size of the company and the coverage required, premiums can run into the hundreds of thousands of dollars. If an insurer’s assessment does not find appropriate levels of computer network security, the policy may be denied unless the applicant meets the insurer’s recommended security specifications. Additional services, such as yearly vulnerability assessments, which monitor and alert management about potential problems, are also offered. In meeting an insurer’s standards, companies should be wary of investments in expensive, tactical, one-time solutions that aren’t in line with the their short-or long-term objectives.

Liability First-party liability covers a company’s own losses due to damage to availability, integrity, and confidentiality of company data, intellectual property, and other privacy infringement–related issues. Third-party liability covers related losses incurred by others.

Business interruption, income, and expenses. These policies cover a company’s loss of revenue and additional expenses caused by DoS attacks, viruses, hackers, and fraud. They may also cover a company’s losses incurred as a result of disruption caused by the computer systems of others relied on.

Product or service failure. This cyber-coverage covers legal actions attributable to the failure of a product or service.

Crisis management. This coverage applies to expenses to facilitate recovery of losses, as well as to support public relations efforts to communicate with constituents.

Insurers also offer packages that may include coverage for criminal reward as well as loss of revenue.

What Is the Right Risk- Management Mix?

Because insurance will not avoid a lawsuit nor put a company back in business immediately, cyber-insurance usually requires additional investments in controls and infrastructure before a policy is underwritten. Because small and medium-size companies need to use their resources wisely, they are especially at risk.

A company needs to determine its acceptable level of business risk. Although buying insurance may reduce the company’s risk, this solution should be in line with the company’s own goals and risk assessment. Many small and medium-sized businesses may decide to forego cyber-insurance because of cost considerations, but often these determinations are not made based on a business-driven risk management strategy.

The analysis of potential risk and the allocation of resources for computer network security and business continuity require strategic, long-term planning.
Most companies tend to be reactive and respond with quick infrastructure solutions. A strategic approach to computer network security leads to a more efficient plan and a less expensive risk-management strategy.

Aligning computer network security to corporate goals provides management with a framework for steering resources, whether it be toward infra-structure, improved controls, training, or insurance, based on a carefully thought-out process that analyzes the level of risk the company is willing to absorb. This analysis will lead to better computer network risk management. The company will achieve higher levels of efficiency and cost-effectiveness essential to its profitable growth.

The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

Visit the new cpajournal.com.