Theorem: Technology is not always the answer.
Proof #4,825: In 1930, the French military began constructing a great barricade across the entire French-German border to prevent a repeat of the German invasion two decades earlier. The brainchild of French defense minister André Maginot, the interlocking series of forts and blockhouses that made up Maginot’s line was hailed as an engineering masterpiece. It was thought to be impregnable.
It probably was. Unfortunately, in 1940, the German army simply flanked the line, getting into France through neighboring Belgium. French military leaders were taken completely by surprise. They had reasoned that neutral Belgium would never ever attack them–thus, they hadn’t extended the Maginot line to cover France’s northwest border. In six short weeks, Paris fell.
Corporate risk managers could learn a lot from this small bit of history. Spooked by daily news reports of network break- ins and denial-of-service attacks, US companies have invested hundreds of millions of dollars in security for their ecommerce systems. Despite the massive outlay, businesses remain wide open to all sorts of threats in the virtual universe. In fact, in a canvass of US businesses conducted by the Computer Security Institute (www.gocsi.com), companies reported losing a total of $378 million to cybercrimes last year, up from $266 million the previous year.
Expect the bleeding to continue. A recent survey by insurer The St. Paul Cos. revealed that most companies rely almost exclusively on antivirus software, computer firewalls, and other technologies to prevent losses in cyberspace. Remarkably, only 64 percent of the respondents said their companies had even considered adding new types of insurance policies to cover technology risks. ”There is the perception that you need a technological solution to a technology problem,” notes Bruce Schneier, chief technology officer at Counterpane Internet Security. ”The security industry has sold firewalls and encryption as magic prophylactics. But they aren’t.”
Like safes for valuables, firewalls are an important first line of defense — but they certainly shouldn’t be the only defense. ”If you don’t also have an alarm that rings and guards that come running, you’re not fully protected,” insists Schneier. ”Security involves prevention, detection, and response.”
Edith Bunker Mentality
It also involves figuring out what you can’t prevent, detect, or respond to. As security experts point out, building a fortress around an ecommerce operation — and blithely expecting no breaches — is a dingy idea. Crime can’t be stopped in the real world. That’s true in the virtual world as well.
Risk managers can try to minimize the damage, however. Matthew Kovar, director of the security solutions and services planning group at consultancy The Yankee Group, believes companies should conduct an annual e-risk analysis. The process, Kovar says, must go beyond identifying which assets are most valuable. It also needs to include a review of a company’s policies and procedures, along with an assessment of the vulnerability of existing systems. Such an analysis gives executives a better sense of what’s safe–and what needs insuring.
A number of companies currently offer this sort of network checkup. Unisys, for one, conducts security-risk evaluations on behalf of insurance industry giant AIG. Other well- known insurers and insurance underwriters, including ACE USA, JS Wurzler, Lloyd’s of London, and Marsh & McLennan, have established similar partnerships with IT security specialists. ”Insurance companies have geologists and epidemiologists and all kinds of experts on staff,” says Robert P. Hartwig, chief economist at the Insurance Information Institute. ”It will be no different in the cyber world.” Ultimately, he believes, cyberinsurance will be rolled into standard liability and property policies.
As of now, the two are very separate products. In fact, in The St. Paul Cos. survey, a number of risk managers acknowledged that their companies’ current property-liability insurance policies don’t cover many of the technology risks their businesses face. ”The problem with general liability insurance,” explains John Moccia, director of the technology division of Rollins Insurance, ”is that the policies are triggered by bodily injury or property damage to tangible property. That’s why traditional insurance creates gaps in coverage.”
Assessment fees can create a few gaps of their own. Until recently, many insurers charged sizable fees for IT security appraisals. The fees — and the resulting sticker shock — discouraged some corporate managers from considering technology insurance. At consultancy Milliman USA (www.milliman.com), managers were told they’d have to pay $25,000 for a technology risk appraisal. Put off by the price, the managers eventually decided to take their chances — passing on cyberinsurance entirely.
Lately, however, insurers have begun lowering their fees for IT evaluations. ”I haven’t seen anything like $25,000,” reports Lawrence P. Begley, CFO at online investor-relations specialist CCBN. ”That’s a lot of money, and I’d be disappointed if I had to pay it.” In fact, AIG does not charge an upfront fee for the Unisys assessment. Sunil Misra, managing principal at Unisys’s worldwide security practice, says the group uses the Factory Mutual model from FM Global in appraising security risk. The model, based on BS 7799 from the British Standards Institute, is currently being reviewed by the International Standards Organization. A few other corporates contacted by eCFO said they also rely on the Factory Mutual model in assessing e-risk.
Cover Your ASP
It’s unclear whether the imprimatur of FM Global — a company with vast experience in testing drip valves — will deter shareholder lawsuits over faulty source code. For his part, The Yankee Group’s Kovar believes the Big Five accounting firms should be held liable if they certify a company’s risks and financial position without first making sure that proper e-risk procedures are in place. In fact, Kovar goes one step further. ”If corporations do not go through this process,” he argues, ”CIOs and CFOs should be held personally liable for lack of corporate due diligence in protecting their information technology assets.”
That’s a scary thought. Although risk management is traditionally part of the finance function, insurance is not generally a finance executive’s top talent. Throw complex computer technology into the mix, and you’ve got the makings of a major CFO worry.
You don’t have to tell that to CCBN’s Begley. Located in Boston, CCBN hosts the investor relations Web pages for more than 2,500 publicly traded corporations. The company also carries Webcasts of quarterly earnings calls. Given those virtual tasks — and the very real risks arising from them — Begley has made sure that CCBN carries a number of tech- focused insurance policies.
At the top of the list: business interruption insurance. ”We have to cover CCBN, our clients, and all of our locations,” says Begley. Since CCBN outsources its Web hosting, the business interruption policy extends to application service provider Genuity. ”If something happened at the ASP site to one of our boxes,” Begley points out, ”our insurance would cover it.”
In addition, CCBN carries errors and omissions (E&O) insurance. Designed to defend companies against claims arising from faulty products, E&O policies can be easily tailored for the electronic world. ”Any financial loss that we might sustain from system failures, loss of data, a virus, or not having hot-links work is covered by E&O,” says Begley. ”It is like medical malpractice insurance for the world of cyberspace.”
The lion’s share of CCBN’s policies are written by Chubb. But like many CFOs, Begley relies on an independent insurance broker to help him evaluate his company’s needs. The evaluation takes place annually, or whenever CCBN goes through a major business change. ”You have to find somebody you can trust,” cautions Begley. ”It’s very easy to be fleeced in this area.”
The fleecing may lessen as e-risk coverage become more commonplace. The Insurance Information Institute’s Hartwig predicts that in three to five years, US businesses will be laying out about $2.5 billion for ecommerce insurance. Such a prediction implies an annual increase of 25-30 percent in the price of technology insurance coverage. ”That’s fast,” says Hartwig.
It’s also not hard to figure. The fallout from the dot-bomb implosion is definitely driving up e-insurance premiums. One broker notes that many California etailers used patent infringement coverage as a sword, not a shield. Emboldened by protection against possible countersuits, they filed thousands of lawsuits against competitors. Not surprisingly, patent infringement coverage is now ungodly expensive–if you can get it at all.
The Sue Nation
While premiums for ecommerce insurance are definitely on the rise, the increases cannot be blamed solely on litigious dotcommers. The fact is, American consumers tend to sue first, ask questions later. This penchant for torts has driven the price of traditional corporate liability coverage sky-high. Things are not likely to be different in cyberspace. Says Hartwig: ”I find it difficult to believe that attorneys who were so successful at suing US corporations in the physical world are suddenly going to leave them alone in the digital world.”
When discussing recent price hikes, insurers and brokers often cite the verdict in the lawsuit between the Mississippi State Tax Commission and IT consultancy American Management Systems, or AMS. Finding that the Fairfax, Virginia- based AMS had failed to deliver on its $12 million contract to provide Mississippi with a new tax-processing software system, a jury awarded the state a whopping $474.5 million in damages last August. ”It was a very substantial verdict — the second-largest verdict, to our knowledge, in the state,” says Armin Moeller, Mississippi’s lead counsel on the case.
Eventually, management at the $1.2 billion-in-revenues AMS agreed to a $184 million settlement. AMS paid $20.8 million after taxes, with its two lead insurers (Chubb Federal Insurance and AIG’s National Union) kicking in the remainder. According to Moeller, AMS carried a comprehensive general liability policy with an E&O rider designed to handle claims related to the development of defective software. The policy included $2 million in primary insurance from Chubb Federal, $50 million in excess coverage from National Union, and a second $50 million in excess coverage from Chubb Federal.
Ironically, some observers think the AMS decision may turn out to be a boon for insurers. One industry insider claims that brokers are already getting mileage out of the case, along with other new economy scares. ”AMS, the ‘I Love You’ bug — all these things have led insurance companies to claim the apocalypse is coming,” the source says. ”Everybody should be paying more [for technology insurance]. But now they’re going to pay an inordinate amount.”
Still, not everyone thinks that the price is too high. David Manaster, president of the Electronic Recruiting Exchange, a Web-based provider of conferences and reports for HR professionals, says his company has been covered under E&O insurance for about a year. Despite the cost, Manaster considers it money well spent. ”In this country, it is very easy to sue,” he notes. ”Insurance really is a must-have for the peace of mind it provides.”