Fair Use: For Educational and Research Purposes Only

Hackers, Viruses Challenge Insurers

Source: The Hartford Courant

Publication date: 2000-05-20

Underwriters were more than willing to insure voluptuous country singer Dolly Parton's bustline for $600,000. Rocker Bruce Springsteen went Dolly one zero better: a $6 million policy on his voice.

Even if you're not a celebrity, for a $50 annual premium you can actually insure your home against attacks by space aliens.

But in what often seems a pay-the-premium-and-we'll-write-a- policy-for -anything industry, insurers have been slow to cover computer- dependent businesses for losses caused by hackers and viruses.

And businesses that manage to find such coverage can expect to pay a whopping premium, industry experts say.

The situation was underscored Thursday and Friday when the "NewLove" computer virus -- more destructive than the "Love Bug" two weeks earlier -- trashed systems around the world.

Most insurers use historical data to measure risk. One serious problem facing underwriters is the lack of a track record in an e- world that is only a few years old.

"The market is limited to those companies that can spend money on computer security," said Matthew Norris, director of information technology products at the Hiscox syndicate at Lloyd's of London.

Standard computer security includes firewalls, antivirus software that is updated weekly and systems that can prevent the entry of hackers.

Most policies with language specifically covering hacker attack carry annual premiums that start at $100,000 a year and run up to $3 million, Norris said.

Damage estimates for "Love Bug" range up to $10 billion worldwide -- mostly in lost work time. Although more destructive, "NewLove" did not spread as quickly and is expected to cause less total damage because computer security had been heightened by the earlier virus.

The hacker-insurance market is expected to grow to billions of dollars in annual premiums by the end of this decade. But for the time being, the market is stuck in a holding pattern. Few businesses realize that their coverage often stops short of protecting against hackers, and most insurers are reluctant to take on hacker risk, industry sources said.

Quick answers to the hacker problem remain as murky as the language in a typical insurance policy.

"It depends on the type of loss and the type of coverage," said Laura Bradshaw, a spokeswoman at Travelers Property Casualty Corp. in Hartford. "Protection against hackers is not spelled out in the current policy forms. But a hacking incident could be covered if the loss meets the criteria of an act of vandalism."

The Hartford Financial Services Group also writes commercial policies that, under certain conditions, will cover business interruption caused by hackers. But Travelers' Bradshaw said hacker insurance remains a work in progress. Her company is updating the wording of its policies to more clearly explain what e-commerce risks can be covered -- and what is excluded.

Almost all insurers are trodding just as warily into the e- commerce minefield. They see the potential for e-commerce policies, but almost all see the potential for huge losses.

Hacker policies sold today place limits on losses, said Norris, at Lloyd's of London. The risks include business interruption, liability, sabotage and theft of intellectual property.

"This insurance does present a challenge. The loss could emanate from anyplace in the world," added Robert Ditmore, vice president of technology underwriting at St. Paul Cos., one of the few companies that offer specialized coverage for hackers.

The "Love Bug," for example, is believed to have been hatched in the Phillipines; "NewLove," dubbed "Herbie" by the Justice Department, was first reported in Israel.

Though threats can come from just about anywhere, the data needed to mitigate those threats are nowhere to be found. The history of financial loss to e-mailed viruses is barely 3 years old. This year, it is known that Charles Schwab, E*Trade and eBay suffered business interruptions from e-mailed viruses.

"You have to gather data as you go along. But we're still left to depend on forecasting models to make underwriting decisions," said Ditmore, of St. Paul Cos.

Assembling an underwriting team for hacker coverage also requires more legwork for insurers. Most of the expertise needed to assess computer security is not available in-house.

Officials with St. Paul and ACE USA Ltd., another underwriter of e- damage, say they rely on consultants to perform security audits of prospective policyholders.

The underwriting process begins with questions asked in a policy application.

Does your company have an information security policy? Are employees trained to understand this policy? Do you have an information security officer? Do you have a team assigned to quickly address computer emergencies? How dependent is your company on electronic commerce?

"It all boils down to systems, policies and procedures. What security do you have in place? What will you do during an outage? Who can bring the system back up?" said Mark Greisiger, director of information technology products at ACE USA in Philadelphia.

ACE purchased CIGNA Corp.'s property-casualty insurance operations in 1999.

With many demands put to policyholders and insurers alike, few hacker insurance policies have been sold in the early going, analysts said.

But with more companies going online, and more facing exposure to hackers, the commercial market is likely to demand insurance against hackers as standard coverage," said Robert Hartwig, chief economist with the Insurance Information Institute in New York.

"It will start out as an endorsement," he said, using insurance- speak for additional coverage. "And it will have to evolve into standard coverage."

http://realcities.yellowbrix.com/pages/realcities/Story.nsp?story_id=10744218&site=charlotte&ID=realcities&scategory=Computers%3AY2K

====================

-- (Dee360Degree@aol.com), May 22, 2000