Computer hackers stealing customers? credit card information are no longer just a threat to traditional technology and Internet companies. ChoicePoint, Polo Ralph Lauren and LexisNexis have captured headlines recently as victims of credit card theft. They?re among the thousands of companies at risk from hackers breaking into their computer systems to take and abuse customers? personal information.
These days, every company doing business over the Internet is at risk, whether the company is a huge software maker, a bricks-and-mortar retailer with a dot-com presence or a tiny retailer selling specialty crafts online.
All businesses have private, critical information that?s at risk. It could be anything from patents on intellectual property to customer social security numbers.
Unfortunately for these companies ? and their customers ? many digital losses are not covered under traditional corporate insurance policies. Commercial general liability policies ? in particular the personal injury and advertising injury coverages ? now offer very limited coverage for many of the risks emerging from the widespread use of the Internet for commerce. In addition, policies covering damage to your own property, vandalism, business interruption, and dishonesty focus on tangible property but offer little protection for malicious programming (viruses) and for intellectual property ? significant exposures for many companies. These policies typically offer very limited coverage for loss of computer data, regardless of how catastrophic or debilitating the loss.
This leaves companies victimized by computer losses open to substantial financial damages ? and the exposures are growing every day. Realizing this, a number of companies are seeking protection through a type of coverage loosely referred to as ?cyber insurance.? This insurance line has emerged over the past several years as a way for companies to hedge against lawsuits from customers whose personal information is stolen ? or other lawsuits from customers alleging financial harm from misuse of digital information.
Let?s look at two examples:
1. Fictional web site design firm ?Web Design,? which has 100 employees and $40 million in annual sales. Fictional client ?Widget World? hires Web Design to design a Web site to sell products. In addition, Web Design creates a customized order package for Widget World to take orders online. The ordering software assesses tax on orders. Unfortunately, Widget World later learns it is not authorized to collect the tax and must refund the money to customers. The cost to Widget World is $250,000, which they decide to recover by suing Web Design. If that weren?t enough, a Widget World competitor sues Widget World, claiming its website looks too similar to the competitor?s Web site. Widget World then sues Web Design for trademark infringement. This used to be covered under Web Design?s general liability policy but now excludes it. Cyber insurance typically provides this coverage.
2. Fictional retailer decides to offer products to customers online with payment by credit card as an option. A hacker breaks through the security and obtains and sells private information on the credit cards and social security numbers of 300,000 customers. The retailer notifies its customers of the security breach, but is exposed to claims from customers for unauthorized use of their credit cards as well as potential identity theft. Traditional policies exclude this but coverage can be bought back through certain kinds of cyber insurance.
Within the computer security industry, cyber insurance is gaining interest. A panel discussed it at the February 2005 RSA Conference and Expo, a leading security conference, in San Francisco. Many insurance companies now offer cyber insurance in one form or another. The coverage is evolving and pricing is improving as more companies express interest in the coverage and the industry sorts through new computer threats and the best ways to protect against them.
Insurance companies offer varied products that protect against different kinds of threats or losses, including:
Copyright and trademark infringement
Misuse of intellectual property
Negligent acts, errors, or omissions
Failure to perform, breach of warranty or representation
Libel, slander
Invasion of privacy
Denial of service or unauthorized access to, use of or introduction of malicious codes into data, software, systems or networks
Although cyber insurance has been available for the past four or five years, many larger companies choose to self-insure this exposure. However, as it has become more affordable and the coverage has evolved, even some of the largest firms in this area have taken advantage of it.
Premiums also vary based on the type of company being insured. A technology company, whose core business involves computers and the Internet, will pay more for cyber insurance than a company that only does 5 percent of its business over the Internet. For technology companies, the premiums are high in relation to other coverages. For example, cyber insurance may cost as much as 2.5 times the premium for directors and officers liability insurance and 25 times as much as general liability coverage for a small to mid-size technology company. It may be hard for such a company to swallow the relatively high cost of cyber insurance. But if the firm doesn?t buy it, it could be gambling the entire company. If someone hacks into the company?s computer system and misuses the information stored there, it could be potentially devastating.
The process of obtaining cyber insurance offers other benefits. Before an insurance company grants coverage for cyber exposures, it often works with the company to assess the risk and evaluate controls, including security measures in place to avoid or mitigate losses. This can identify vulnerable areas and the need for improved controls. Insurers also work with the company to make sure the company is prepared to respond promptly to problems, contain losses and keep them from escalating, and finally, to pay claims from a catastrophic event. The priorities are loss prevention, claim mitigation, and loss payment.
Companies who want cyber insurance will have to prove they:
Have a formal privacy policy in place
Have a policy governing whether and how they will sell or disseminate personal information
Will be responsible for personal data such as health and financial information
Have intellectual property rights clearance procedures for new and current employees
Have a formal policy on how to respond to security breaches and other complaints, in addition to inaccurate, defamatory or troublesome content
Have policies in place to protect users of chatrooms and bulletin boards
Have a security plan and protocols in place that are updated routinely
Have hired hackers to try to breach their security
Are ensuring the quality of their products and that they comply with standards, maintain documents, have a customer notification plan, and a plan to recall and fix products
Have planned for worst-case scenarios
Higher deductibles for cyber insurance are common. It?s important that the company being insured has some ?skin in the game? so they?ll help control the risk and keep losses from happening.
Overall, having cyber insurance is part of a company?s entire risk management effort, also known as ?enterprise risk management.? This involves looking at the business comprehensively and strategically to determine what can threaten a company?s survival. Cyber-related losses could be so extraordinary that they would fall into this category. If a company does any significant portion of its business over the Internet ? which includes selling products or services, communicating with employees or customers and exchanging information ? it could be exposed to problems from people who want to cause havoc or harm.
For these companies, cyber insurance offers tools for managing their digital risk.
Don Jenkins is Executive Vice President, Insurance for Baldwin Resource Group, a company that offers a broad range of professional services to companies, including risk management, insurance, business consulting, integrated health services and anti-terrorism consulting. To reach Don and learn more about Baldwin Resource Group, please go to http://www.baldwinrgi.com
empire of the sun valerie helicopter whale shark whale shark yucatan homes
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.