Business Insurance RMIS Review - December 2002

Spotlight -- Risk Management: New Technology & Online Solutions

"Threats Keep Pace with Technology"

December 3, 2001

by Joanne Wojcik

With the growing spread of debilitating computer viruses and increasing incidents of hackers attacking corporate Web sites, businesses around the globe are becoming increasingly concerned about the liabilities they face if outsiders should break into their computer networks via the Internet.

Because "computer networks are the backbone of our global economy," they need to be protected, said Emily Freeman, senior vp and director of e-business risk management and consulting at Marsh Inc. in San Francisco.

Companies face not only third-party liability if hackers disclose private information-such as customers' financial or health information-but the potential of first-party property damage should viruses creep into their systems and corrupt data or disrupt access, Ms. Freeman said.

And as fast as technology experts fend off these attacks, new threats are being unleashed every day-both inside and outside of organizations, cyber-risk experts say.

"It's one step forward, two steps back, as far as security goes," warned Duane Verzone, network security specialist for Tampa, Fla.-based Suncoast Schools Federal Credit Union. "For every new security patch, there's a hacker who can break into it."

The findings of the 2001 CSI/FBI Computer Crime Security Survey, which the Computer Security Institute conducts as a public service with participation by the Federal Bureau of Investigation's Computer Intrusion Squad in San Francisco, support this conclusion.

Of 538 computer security practitioners in U.S. corporations and government agencies that responded to the survey, 91% said they detected computer security breaches within the last 12 months; 64% acknowledged financial losses due to theft of proprietary information and/or fraud; and 35% were willing and/or able to quantify their financial losses.

And the magnitude of these losses is growing. Among those who quantified their losses, the losses totaled $377,838,700, up from a total of $265,589,940 in the 2000 survey.

For the fourth year in a row, more respondents-70%-cited their Internet connection as a frequent point of attack, up from 59% in 2000.

While these attacks seem to be increasing in frequency and have resulted in significant financial losses to the organizations involved, only 36% of respondents said they reported the intrusions to law enforcement.

They are reporting these occurrences to their insurers, though, said Ty Sagalow, executive vp and chief operating officer of AIG eBusiness Risk Solutions, a division of American International Group Inc. in New York.

"We have had claims and paid out millions of dollars since January 2000," when AIG first introduced its new suite of cyber-risk insurance products, Mr. Sagalow said. Currently, AIG has approximately 1,200 policies in force with limits "in the billions," he said. And submissions are up nearly 50% since the Sept. 11 terrorist attacks, he said.

"Companies were down days or weeks, depending on how they were connected to the grid. The event that caused the downtime may not have been foreseen, but it still caused a significant impact on companies' operations," said Jerry Ferguson, a partner at the New York law firm of Thacher Proffit & Wood.

But risk transfer cannot be the only solution to the problem, especially since capacity is limited, said Joshua Gold, a partner at Anderson Kill & Olick P.C. in New York.

"The new cyber-policy limits are insufficient," particularly for large corporations with significant exposures, Mr. Gold said. "If you're a traditional policyholder trying to Web-enable your business, the limits are not adequate for catastrophic loss. They need limits in the billions," he said.

The highest limits currently available from AIG are $25 million, though up to $50 million can be assembled though the use of facultative reinsurance, Mr. Sagalow said. But brokers may be able to assemble as much as $100 million by using more than one insurer, he added.

Mr. Sagalow said that AIG, recognizing that buying insurance is not enough, provides risk mitigation services as part of the coverage that comes with its cyber-risk policies.

eSher Underwriting Managers, a unit of Aon Corp.'s Sherwood Insurance Services Inc., also is providing risk management services as part of its CNANetProtect and eComprehensive Cyberrisk insurance programs, said Phil Pierson, founder of the Irvine, Calif.-based managing general agency. The services are also available on an unbundled basis to non-policyholders, he said.

"When we underwrite, we want to make sure the companies are focused on network security, especially if they have a lot of consumer information on their networks," Mr. Pierson said.

Regardless of whether they purchase insurance, organizations increasingly are hiring "ethical hackers" to test the vulnerability of their computer systems.

Suncoast uses the services of San Antonio-based Digital Defense Inc. to conduct at least one external "penetration" test per quarter, Mr. Verzone said. Under the Gramm-Leach-Bliley Act, financial institutions are required to conduct at least one such penetration test annually, he explained.

"Our home banking product is out there and available on the Internet," which makes it vulnerable to attack, Mr. Verzone said.

Mr. Verzone said he was surprised by how easily the technicians from Digital Defense could penetrate the system the first time the test was run. Since that time, though, the credit union has added an intrusion detection system, he said.

And the use of such systems has been increasing steadily, according to the CSI/FBI survey, which found that 61% of respondents used them in 2001, up from 50% in 2000, 42% in 1999 and 35% in 1998.
Suncoast also is preparing to upgrade to Digital Defense's newest software, which will allow the credit union to conduct penetration tests more frequently on its own.

With the new software, "companies could run a scan almost every day, just as they run virus scans," said John Turner, a developer and co-founder of Digital Defense.

Unfortunately, even with penetration testing and an intrusion detection system, "no network will ever be 100% secure," warned Joe Cooper, president and chief executive officer of Digital Defense. This is partly because the risk, many times, is internal. "Disgruntled employees are the largest sources of unauthorized access," he said.