November 2002
Cyber-Insurance Issues: Managing Risk by Tying Network Security to Business Goals ?
By Oscar Kolodzinski
Cyber-crime is a catch-all phrase that encompasses hacking into computers, creating and spreading computer viruses, perpetrating online fraud schemes, and stealing trade secrets and other intellectual property. Cyber-crime lawsuits are on the increase, making insurance more important than ever.
Cyber-risk began as an industry-specific need, mainly for e-commerce and Internet-related companies, but has now become mainstream. New viruses, hackers, and denial of service (DoS) attacks—explicit attempts by attackers to prevent legitimate users of a service from using that service—alerted the public to the reality that computer network security and risk management issues are no longer the exclusive domain of companies doing business over the Internet. Risks are not limited to outside threats or Internet access. Many companies now realize that just having a website may carry additional, unforeseen risks.
Most incidents of cyber-crime go unreported because the individuals and businesses affected want to avoid the negative publicity. For example, Vivendi Universal’s Canal Plus, a European television station, alleged that News Corp’s NDS Group hacked its security system and then provided the security code to a website used by counterfeiters. These counterfeiters used the information to create illegal smart cards that enabled them to tap into Canal Plus’s pay-television service. Canal Plus claimed to have lost $1 billion in revenue due to piracy, and pointed the finger at NDS Group.
Traditional Insurance vs. Cyber-Insurance
In general, traditional insurance—property, commercial liability, and crime—tends to focus on tangible damage to physical property and does not address cyber-risk. Traditional business interruption policies focus on damage caused by fire or flood and do not consider DoS attacks at all.
Companies such as AIG, Lloyds of London, and Zurich Insurance Group now offer such products in order to cover the gap left by traditional policies. Insurance companies may offer policies that combine both to small companies that have limited network security risks.
Cyber-insurance policies require higher premiums and deductibles because of challenges such as lack of quantifiable data on cyber-risk. Depending upon the size of the company and the coverage required, premiums can run into the hundreds of thousands of dollars. If an insurer’s assessment does not find appropriate levels of computer network security, the policy may be denied unless the applicant meets the insurer’s recommended security specifications. Additional services, such as yearly vulnerability assessments, which monitor and alert management about potential problems, are also offered. In meeting an insurer’s standards, companies should be wary of investments in expensive, tactical, one-time solutions that aren’t in line with the their short-or long-term objectives.
Types of Cyber-Coverage
Five areas of cyber-coverage need to be addressed:
Liability First-party liability covers a company’s own losses due to damage to availability, integrity, and confidentiality of company data, intellectual property, and other privacy infringement–related issues. Third-party liability covers related losses incurred by others.
Business interruption, income, and expenses. These policies cover a company’s loss of revenue and additional expenses caused by DoS attacks, viruses, hackers, and fraud. They may also cover a company’s losses incurred as a result of disruption caused by the computer systems of others relied on.
Product or service failure. This cyber-coverage covers legal actions attributable to the failure of a product or service.
Extortion. Such a policy covers ransom for valuable information.
Crisis management. This coverage applies to expenses to facilitate recovery of losses, as well as to support public relations efforts to communicate with constituents.
Insurers also offer packages that may include coverage for criminal reward
as well as loss of revenue.
What Is the Right Risk- Management Mix?
Because insurance will not avoid a lawsuit nor put a company back in business immediately, cyber-insurance usually requires additional investments in controls and infrastructure before a policy is underwritten. Because small and medium-size companies need to use their resources wisely, they are especially at risk.
A company needs to determine its acceptable level of business risk. Although buying insurance may reduce the company’s risk, this solution should be in line with the company’s own goals and risk assessment. Many small and medium-sized businesses may decide to forego cyber-insurance because of cost considerations, but often these determinations are not made based on a business-driven risk management strategy.
Aligning Corporate Goals with Network Security
The analysis of potential risk and the allocation of resources for computer
network security and business continuity require strategic, long-term planning.
Most companies tend to be reactive and respond with quick infrastructure solutions.
A strategic approach to computer network security leads to a more efficient
plan and a less expensive risk-management strategy.
Aligning computer network security to corporate goals provides management with a framework for steering resources, whether it be toward infra-structure, improved controls, training, or insurance, based on a carefully thought-out process that analyzes the level of risk the company is willing to absorb. This analysis will lead to better computer network risk management. The company will achieve higher levels of efficiency and cost-effectiveness essential to its profitable growth.
©2006 The CPA Journal. Legal Notices
Visit the new cpajournal.com.