In the wake of costly, virulent viruses such as the recent Blaster Worm, there is one word that is probably top of mind for businesses across the globe: cyber-insurance.
Accordingly, an increasing number of insurance companies are delving into the risky business of offering protection against
the unpredictable damage that e-mail viruses or “hacker attacks” are capable of inflicting.
Indeed, viruses such as the Blaster Worm appear out of nowhere, have unpredictable paths, and cause billions of dollars in economic damage. The Sobig-F e-mail virus reportedly reached one million computers in 24 hours. Some reports estimate worldwide damage of the Love Bug to be worth US$8.7 billion. Meanwhile, the 2003 CSI/FBI Computer Security Survey of 530 information security practitioners found theft of proprietary information and denial-of-service (DoS) attacks resulted in a US$65.6-million loss, up 250 per cent since last year.
Nonetheless, it seems that some insurance companies are willing to cast all risks aside and hedge their bets. Take Holman Insurance Brokers Ltd., based in Richmond Hill, Ont., as just one example. The company offers protection for both hacker/cyber theft and DoS attacks. Likewise, American International Group (AIG), the world’s largest insurance company that writes 70 per cent of cyber-policies in the U.S., offers similar protection to Canadian clients, including Yahoo Canada in Toronto. Also on the bandwagon is Lloyd’s of London, which offers US$10 million in cyber-protection for US$750,000.
According to some, these insurance companies are making suicidal choices.
“It’s a crazy move,” says Catherine Hajnal, referring to the erratic nature of cyber-attacks.
The assistant professor of information systems at Carleton University’s Sprott School of Business also worries that companies will regard cyber-insurance as a way to relax their investment in crucial data-security infrastructure.
“I’d hate to see organizations use insurance as a way not to worry about this,” she says. “The responsibility really lies with the organization to do the right thing. We hear about firms not updating, or getting the patches like they’re supposed to. Is the insurance an excuse for not doing that? That shouldn’t be the way.”
As for the insurance carriers, many are “very afraid of jumping into an exposure line until there is decades and decades of data that can be put into a table,” acknowledges Ty Sagalow, chief operating officer at AIG eBusiness Risk Solutions in New York City.
But Sagalow insists there is a rational way of calculating cyber-risks.
“In 1999, when we first started looking at network security and the Internet, we put together a task force to determine the exposures and to determine the best way of underwriting it,” he says.
Now it’s up to the business world to jump on board. But the reality is that only seven per cent of companies surveyed by Ernst & Young have actually bought cyber-insurance, a percentage E&Y called “astonishingly low” given the risk environment.
Despite the low numbers, Sagalow says AIG’s cyber-insurance arm has “grown tremendously over the last couple of years,” adding that more and more competitors are matching AIG’s cyber-plan in response to an increased demand worldwide.
“That seven per cent figure is low, but I bet a couple of years ago, it stood at 2.5 per cent,” says Sagalow.
As of February 2003, AIG had only issued 2,000 policies, each with a minimum price of US$10,000. But according to recent industry estimates, company spending on hacker insurance is set to rocket in the United States from US$100 million to US$2.5 billion by 2005.
Acting as a possible boon to the cyber-insurance industry was the White House’s National Strategy to Secure Cyberspace, released last February. It said: “”No matter how much money you spend on technology, you are not going to prevent all disruptions.”” Consequently, the strategy recommends that businesses purchase some form of cyber-insurance.
More recently, John Spagnuolo, a cyber expert for the Insurance Information Institute, warned: “Unfortunately, most companies are operating in a 21st century threat environment with 20th century insurance coverage.”
Meanwhile, some companies that were recently hit by the Blaster Worm appear to be weighing their options. Laura Cooke, a spokeswomen for Air Canada, says the company has “various insurance policies that could respond to events like power outages or service interruption of any nature, including computer viruses.”
But the coverage is obviously subject to the policy’s specific terms and conditions, says Cooke. And there are obvious caveats with respect to deductibles.
Welchia, the computer worm designed to inoculate against the Blaster brought down Air Canada’s computer networks and forced the air carrier to check in passengers manually at airports across the country.
The airline is now trying to “get a better understanding of its (insurance plan’s) caveats,” says Cooke.
“Right now we are in the process of examining our various policies and, at the same time, we’re still quantifying any losses sustained by the company as a result of (power) outages and computer viruses.”
— Illustration by Jarrett Osbourne