Cyberinsurance?

"There were computers all over the conference center," said one participant, who asked not to be identified. "You could swipe your name badge, get online, communicate with others at the conference and sign up for sessions. Some of the sessions were over lunch and dinner, and required credit cards."

The participant said the hackers did not use his credit card to buy anything since the culprits were more interested in drawing attention to their antiglobalization cause than in racking up bills. Still, he canceled his card and requested a replacement. "It was more precautionary than anything else."

It was the kind of incident that many people see as harmless, maybe even funny, especially given the prominence of many of the victims. Who wouldn't like to imagine a celebrity executive or politician trying to explain to a credit card company representative on the phone how he didn't really go on a shopping spree and buy 50 Rolex watches.

But Emily Freeman, senior vice president of Marsh Inc., a leading global risk manager and insurance broker with headquarters in New York, takes an altogether different view. "When people think of hacking they think of 12-year-olds with multiple body piercings creating the Anna Kournikova virus, doing it for fun to make a name for themselves. But there are others who are organized and trying to commit major fraud, trying to steal for espionage purposes and stealing credit card numbers. It's not just a nuisance."

Freeman's company and others are busy trying to alert organizations nationwide about the potential havoc cyberoutlaws can wreak and urging potential customers to consider a product still in its infancy: insurance to cover an array of computer-security risks.

A disturbing picture
Freeman says the number of hacking incidents is impossible to pin down with any degree of accuracy because many organizations, fearing bad publicity, simply do not report incidents to law enforcement authorities or anyone else. But there is some data that offer a glimpse of the scope of the problem. A survey of 643 computer-security practitioners by the Computer Security Institute, a San Francisco-based association of information-security professionals, paints a picture that one of its officials has called "disturbing."

The survey, released in March 2000, found that 90 percent of respondents, mostly large corporations and government agencies, had detected "computer security breaches" of all sorts--not just hacker attacks--during the previous 12 months. Some involved run-of-the-mill incidents like viruses, Internet abuse by employees and laptop thefts. But 70 percent reported financial fraud, system penetration, theft of proprietary information and denial-of-service attacks (when an e-commerce provider or other Web site is knocked offline and is unable to do business). Of the organizations surveyed, 74 percent admitted financial losses, but only 42 percent were willing to or able to quantify those losses, which totaled $265.6 million.

Dan Hunter--a Wharton legal-studies professor who prefers the term "cracking" to describe computer security attacks that are criminal, not mischievous, in nature--says the lion's share of computer security is focused on maintaining the integrity of credit card information.

"We used to be concerned, as consumers, about sending credit card numbers over the Net, but that's pretty much secure," Hunter says. "It's difficult and not particularly feasible for a cracker to put a 'sniffer' between you and Amazon.com to copy credit card details. It's easier to break into e-commerce sites that hold thousands of names and either just rip off the information or blackmail the company into providing money" in exchange for the data.

A successful theft of information from a credit card company like Visa or MasterCard is highly unlikely because security is sophisticated, Hunter says. Likelier targets include smaller e-commerce sites that are poorly protected. Hunter says other types of cybercrimes, such as denial-of-service attacks and industrial sabotage resulting in theft of corporate secrets, are serious, but pale in comparison to the potential extent of damage posed by credit card theft.

Gerry McCartney, associate dean and chief information officer at Wharton, says the school's computer system is an unlikely target for crackers because the information contained there is largely of little value to criminals. "Our data usually isn't life or death data," he says. "It's not military data or health-systems data."

The trade-off
The issue of computer security is a complex one for a university, McCartney says. For one thing, universities by nature are open environments and sharing information is central to their mission. In addition, there is the question of balancing cost with the value of the information at risk. "There's a trade-off between (a potential security problem) and how much you want to spend to address the problem," he says. "We just can't buy as much (security) as we think we might need."

McCartney says a "nontrivial number" of cyberattacks come from inside the Wharton community, such as the student who sends out a fake e-mail announcing a cancellation of exams. "We get attacks from outside, but they tend to be attacks that affect everyone, like the Melissa virus," whose target was Microsoft Exchange software. In response to that virus, McCartney says, Wharton disconnected itself from the Internet for 20 minutes, installed an antiviral patch and set about "disinfecting" the system.

As an insurance broker, Marsh does not write policies. Instead, it creates products and looks for insurers to underwrite them. Two years ago, Marsh developed a product called NetSecure, the first version of which was designed for IBM. NetSecure is underwritten by the Zurich Insurance Group and Lloyd's of London, Freeman says.

Marsh is involved in coverage in other ways, too. The company has created special language for policies offered by other companies, principally AIG and Chubb, that provide variations on the type of coverage spelled out in NetSecure. "We offer clients choice," says Freeman. "Not everyone wants a Cadillac. We have people who want to cover security risk in a robust way and others who want minimal coverage." Clients range from Fortune 200 businesses to small companies.

In general, insurance can provide coverage for: external threats from viruses that disrupt and deface Web sites; unauthorized use of an organization's computer system; theft of an organization's own data by insiders or outsiders; extortion; denial-of-service attacks; crisis management; and liability against lawsuits.

Freeman says most of the policies Marsh has been involved with have been bought by brick-and-mortar organizations that wish to establish sites for various business-to-business activities. The second largest group of customers consists of retailers who have become Web-enabled. The third biggest group is health-care providers, which are subject to regulations concerning the management of patient information. The fourth consists of entertainment and media companies, ranging from motion picture studios to online newspapers. The three chief concerns of insurance customers, Freeman says, are information theft and credit card fraud, viruses, and denial-of-service attacks.

Freeman says computer-security insurance remains a tiny but growing piece of the total insurance business.

Is cyberinsurance feasible?
One person who is skeptical of the need for cyberinsurance and its potential for growth is Greg Meyers, practice director and lead strategist at Qwest Interactive, the professional services division of Qwest Communications International, and an adjunct professor of marketing at Wharton.

Underwriting such coverage requires a "tremendous amount of due diligence as well as large sums of money to hire consultants to inspect a computer system for flaws before writing policies," says Meyers, former associate director of the Thought Leadership Group for PricewaterhouseCoopers' global e-business initiative. Also hard to figure out, he says, is the value of data that may be stolen and how much money an e-commerce site may lose if a hacker forces it to go down for several hours.

"It hasn't taken off," Meyers says of cyberinsurance. "We've not been able to find a good way to assess data loss. Amazon can say, 'we'll lose so much money per hour' if they go down (as a result of a denial-of-service attack). But what's the cost of losing potential customer data? What's Amazon's database worth?

"The risks are unknown," he adds. "Hackers are getting better every day but technology (to thwart hackers) is getting better every day. Who's going to win the race? If the hackers win out, insurance companies are going to lose big" in the amount of claims they have to pay.

Marsh and other firms, however, believe insurance against cyber risks is a line of business worth pursuing. Says Freeman: "When a Web site goes beyond brochure-ware and goes into transaction or integration activities with outside parties and becomes part of the enterprise function, that's when we start to see the security-risk issue get to the point where people are concerned about it."

 
To read more articles like this one, visit Knowledge@Wharton.

All materials copyright © 2001 of the Wharton School of the University of Pennsylvania.