What Insurance Can — and Can’t — Do for Security Risks: An Interview for Secure Business Quarterly

by rthieme on July 27, 2001

Looking for Light in the Fog of War:

What Insurance Can — and Can’t — Do for Security Risks

by Richard Thieme

The “fog of war” is a metaphor for

the lack of clarity in any competitive

arena due to a shortage of good

information. When we try to

quantify risk, we enter that fog. So

how do businesses evaluate liability

and risk? How do they identify a fair

price for risk management?

The conversation between risk

managers, insurance companies, and

security professionals is beginning to

lift the fog.

What Is E-Insurance?

How do insurance companies insure

something whose actual risk is hard

to measure? When actuarial data

that usually is gathered over decades

does not yet exist, insurance

companies develop specialty policies.

Today’s e-insurance policies are

currently developed in this way.

Since March 1999, insurance giant

Zurich North America Financial

Enterprises has been seeking

solutions for customers’ e-business

needs. In the insurance industry, two

years is a heartbeat.

According to David O’Neill, Zurich’s

Vice President for E-Business

Solutions, the first step in the process

of devising an e-insurance product

for a customer begins with analyzing

the new exposures created by the

Internet, and where traditional

insurance products fall short.

Once these products are developed,

then comes the challenge of pricing.

“We work very closely with our

actuarial staff, since we are breaking

new ground here.”

These “interesting conversations,” as

O’Neill euphemistically calls them,

search for the right baseline rate and

appropriate mathematical structures

for insurance. Insurance carriers can

assess rate structures on many

traditional insurance products with a

high degree of confidence, but since

this is a new world, those models

have not yet been tested.

The next step is to define Zurich’s

underwriting or risk selection process

for potential customers. Some of the

variables weighed for a prospective

customer include how the customer’s

platform is run, independent

external reports on the customer, the

churn rate in management, and then

direct customer contact to get a sense

of how serious management is about

security. The process gets risk

managers, CTOs, CIOs, CSOs, and

controllers to step back, see the big

picture, and relate their experience

in the bricks-and-mortar world to the

less tangible world of e-commerce.

Insurers like Zurich look for a

sequence of events in the traditional

insurance world that will build up or

build down a rate structure, and then

they apply it toward similar events in

the virtual world.

The process by which an insurance

giant like Zurich engages with

potential customers is a procedure

involving mutual education and

collaboration. If the process is not

a win/win conversation in which

both parties are learning and

growing together, it won’t work.

Defining that process and managing

it with integrity creates value for

everyone involved.

Traditional insurance policies cover

physical injury to tangible property.

When a building burns down, the

property policy responds. But what

happens if code malfunctions? Or

systems are breached? When we

move from a tangible world to an

intangible world, there are gaps

between what existing policies offer

and the needs of the cyberworld —

the economy and environment in

which we now operate.

Most businesses today are affected

by these gaps, whether they know it

or not. Often businesses think that if

they’re not selling on the Internet,

then they aren’t at risk — but any

business with external connectivity is

vulnerable to viruses, denial-ofservice

attacks, unauthorized access,

and a host of other things that were

not considered seriously until a few

years ago.

O’Neill likens e-commerce insurance

to catastrophic insurance. “It’s

somewhat like California earthquake

insurance for the Internet or the

cyberworld. Rates are important, but

quality of risk is the most important

characteristic. Whether a customer is

paying a premium of $50,000 or

$500,000 is not going to make a bit of

difference when the quake hits. The

real question is: How will you

withstand the loss event, and

ultimately, will the insurance carrier

be there to pay for the claims?”

Making the cut to be insured is the

customer’s number-one job. Then we

can discuss pricing and terms and

trade-off rates.”

That might sound as if only those

who do not need insurance can

qualify to get it, but that’s not the

case. This is a process of selfevaluation

by businesses to bring

their security practices up to par. Only

those who demonstrate by their

actions that security is a serious

business — those who control what

they can control — are eligible for

insurance that covers risk in areas

they cannot control.

The insurance company then

evaluates the likelihood of

significant loss-events. This requires

real judgment, according to Phyllis

Van Wyhe, CPCU, CIC, an educator

for the insurance industry and

principal of the Van Wyhe Group

based in Milwaukee, Wisconsin. Van

Wyhe notes that when Lloyd’s of

London insured ships for long

voyages nearly 300 years ago, they

lacked actuarial data and had to use

folklore and discernment to set rates.

They evaluated the crew, the captain,

the prior experience of the ship, and

the route — good metaphors for

evaluating businesses in the ecommerce

space as well.

The evaluation process is well worth

the customer’s time even if they

choose not to buy coverage. For

example, Zurich looks at whether

a business is using code review

software that monitors code

integrity. If a customer does not

audit code for deficiencies in security,

reliability, and operations, or does

not constantly monitor the integrity

of its network, it will learn why it

should. Because the insurer knows

the importance of seeing what

happened before and after an

event, the customer comes to

understand the value of a detailed

forensic analysis.

This extensive evaluation process

does take time. Van Wyhe

emphasizes the labor-intensive

nature of underwriting e-commerce

policies and the associated costs. (In

fact, Zurich constantly updates its

underwriting processes; its contracts

have changed 15 times since it

entered this arena.) In the past, she

says, insurance was like an alarm

system that protected property. If

there was a crime, we called the

police. Now we have to use experts to

establish that there was a significant

loss and to evaluate the degree of

exposure and identify the controls in

place. That’s expensive.

Van Wyhe says that businesses need

to understand that these are not yet

broad comprehensive contracts, but

are focused more narrowly on

specific exposures. “You’re told

what’s covered,” she says, “not

what’s not covered.” She adds:

“These are low-frequency, highseverity

exposures, so the amount of

coverage does make a difference.

Until we have statistics, there will be

limits on exposures, as there always

are on new products.”

What Needs to Be Covered

O’Neill states that the four basic

areas of loss covered by e-insurance

are (1) unauthorized access and use;

(2) denial of service; (3) viruses,

worms, and trojans; and (4) errors

and omissions from an operational

rather than a product perspective.

Because different industries and

sectors have different needs,

insurance products are offered in a

large menu — rather like a deli

counter or a menu at a Chinese

restaurant, O’Neill says. Customers

can pick and choose the parts of the

contract that bring value to their

organization. The conversation

focuses on the loss of income and

extra expenses associated with

an event.

Customers can focus on coverage for

loss of intellectual property — not

the value of the intellectual property,

but the cost of replacement. If a

database is corrupted or information

needs to be restored, insurance helps

to pay for the processes needed to

get back on track.

Another area of coverage is for

interruption or impairment of

service. This type of policy takes

effect if a third-party lawsuit occurs

because someone could not get to

their bank account or make a stock

trade, or if a loan is lost because they

could not access their money.

Businesses that do significant

amounts of electronic publishing

need a different kind of liability

insurance, addressing product

disparagement, defamation, or

copyright infringement. Other

coverage addresses electronic

extortion and electronic

computer theft.

Businesses need to understand their

current insurance policies. A close

look at coverage might reveal that

viruses, for example, are not covered

under traditional property insurance,

because traditional definitions of

property do not recognize the

inherent value of assets in electronic

form, such as proprietary software or

IP. Traditional property definitions

also exclude dishonest and

fraudulent acts committed by the

insured or employees of the insured,

and they do not cover losses caused

by programming errors.

The bottom line is that a business

must understand a wide variety of

risks, evaluate its particular risk level,

and ask if it needs all the coverage or

just parts of it — $1 million of

coverage or $25 million.

A Case in Point

The industries with the most to

lose — such as those in the financial

sector — are way ahead of the curve.

They have to be. They understand

that they do not merely need

“hacker insurance,” but also network

liability insurance for internal as well

as external threats. Computer

Security Institute/FBI data shows

that the majority of events occur

within the organization — a fact

that O’Neill says usually gets a

customer’s attention.

A typical mid-level Zurich customer

might be a midsize bank with

$3 billion in assets and conservative

leadership with concerns about

doing business in cyberspace. Their

concerns may have kept them offline.

The institution has good insurance

coverage in traditional areas but

wants to expand into e-commerce

with services such as making

online account balances available

on the Internet.

How might this customer examine its

risk management policies

realistically? A trusted consultant

would be a good choice to initiate

a conversation. Using a security

questionnaire, the consultant could

lead the company to examine

various exposures so it can discover

gaps in coverage for itself. Then a

custom assessment of its needs

could be developed.

For a large financial services

company, O’Neill says, the entire

process might take three to four

weeks. He suggests that at the first

meeting the group take three hours

to have a technology conversation

with the CTO and CSO, focusing on

the network and connectivity. The

next two- to three-hour meeting

should have a different focus:

creating a good two-way dialogue

that enables the business side as

well as the technical side to ask

challenging questions. Then the

business and technical sectors of

the company can work together with

a shared understanding of where

they are today and where they’ll be

in six months.

Sometimes a company concludes that

it does not need insurance. It accepts

the risk as a cost of doing business. If

it has a high level of tolerance for

exposure to unauthorized access,

electronic publishing issues, or

hosting and collocation data storage,

O’Neill says the company can go it

alone — but he would hesitate to do

business with them in any area.

Buyer Beware

The customer must trust the source

of its information because some

insurance vendors are taking

inappropriate risks. Some vendors

have “weasel clauses” that let them

evade responsibility. If you don’t

update your virus definition files

daily, for example, and a virus takes

down your system, they can claim

you weren’t covered.

There is plenty of vaporware out

there too. Some companies offering

insurance products lack the

infrastructure to back them up. For

these reasons, it is essential for the

buyer to interview insurance

vendors, scrutinize their

underwriting talent, read their

professional bios, and identify their

partners. What industries do they

have credibility in? Where do they

speak? What do other financial

institutions and associations say

about them?

What the Future Will Bring

Momentum is in the direction of

increasing awareness. Independent

agents and brokers have learned that

if they don’t advise clients about gaps

between existing insurance products

and electronic insurance products,

they will be liable for errors and

omissions. Insurance companies are

creating leakproof text to be

included in all communications from

their own agents.

O’Neill also cites pressure from

policyholder attorneys like Michael

Rossi of the Insurance Law Group in

Glendale, California, a law group

that often represents policyholders.

Rossi has written that “stand-alone

e-commerce insurance policies that

address potential ‘gaps’ appear to be

the only viable option for insuring

[certain] risks with express insurance

language.” Rossi predicts that we will

see more and more large companies

take an interest in stand-alone ecommerce

insurance, especially if

they cannot secure computer virus

coverage in their commercial

property insurance programs.

Unfortunately, he notes, more and

more commercial property insurers

are starting to expressly exclude or

severely limit coverage for losses

caused by a computer virus.

In the future, the distinction

between “real” property and

“intellectual” property will blur:

Traditional insurance will roll into

the e-commerce world and normal

coverage will evolve into

e-commerce coverage. In the

meantime, technologies that have

proven particularly vulnerable, such

as wireless networks, are excluded

from some types of insurance.

Zurich’s own IT staff mandates that

specific protocols be followed when

connecting outside its company

boundaries to the outside world.

Their e-commerce underwriting

team looks for this same type of

policy when assigning individual

risk insurance candidates. Some

other companies might have less

restrictive policies — but that should

raise red flags.

Depending on where you sit, you will

look through the fog and see risk and

exposure differently. The CFO will see

it from a financial-smoothing

perspective, while the technologist

will think more in terms of the name

and reputation of the company. A

good process of evaluation will

factor in all of these variables and

allow a business to reach a

reasonable consensus as to risk and

exposure and a reasonable return on

invested security dollars.

Copyright Secure Business Quarterly, an @stake publication, 2001. All Rights Reserved.

Reprinted by permission.

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: