ECharge Corp. believes it has a great value proposition: offer a secure way for online companies to accept payments with absolutely no chance personal information can be stolen or fraudulently used, and back it up with a guarantee. But no matter how good a service might be, guarantees entail some risk. “There’s always the possibility that some little thing could fall through the cracks and cause a catastrophic event,” concedes Mark Tremont, CFO and chief operating officer at the Seattle-based company.
So eCharge did what lots of other online companies are doing. It bought cyberinsurance. “If the security or privacy of our Web site or network were compromised, it would blemish our brand and cause irreparable harm,” Tremont explains. “So our feeling was, let’s not spend time thinking about this; let’s protect our capital investors and buy an insurance policy.”
Cyberinsurance is the hottest sector in the insurance industry, an entirely new line of products that barely existed two years ago. Back then, most insurers were loath to use their capital to absorb corporate cyberrisks, a little- understood panoply of potentially devastating financial exposures. Only one underwriting agency, Insuretrust.com LLC (then known as Network Risk Management Services), offered specific online risk transfer products in the spring of 1997. However, coverage was offered only to Web sites, and rates were high.
But as the Internet E- commerce revolution took shape, demand for cyberinsurance burgeoned. More insurers entered the market, driving down prices, broadening coverages, and increasing overall protection limits. The result, says Adam McDonough, senior vice president at Willis Insurance Services, in San Francisco, is that “we’re in the midst of a warming trend. The user unfriendliness that characterized this product is fast disappearing. [Consequently], corporate purchasers should focus on covering their liabilities to others resulting from a security breach to their network–for instance, sensitive data falling into the wrong hands, contaminated or destroyed data resulting in financial loss to customers, a denial-of-service attack leading to delayed or lost orders, and so on. Limits to consider will vary widely, depending on the nature of operations, but $5 million to $20 million is a good start.”
Demand for cyberinsurance has exploded in the wake of three major cybersecurity breaches in the past six months. The first involved the penetration of CD Universe by a hacker dubbed “Maxus,” who stole some 300,000 customer credit card numbers. Maxus demanded a ransom payment of $100,000 to return the numbers, and made good on his threat to release them to the public when the online music retailer balked. He has yet to be apprehended.
The second breach was the notorious denial-of-service attacks in February against Yahoo, Ebay, Amazon.com, and other popular Web sites. The hackings shut down the sites for several hours, causing more than $1.2 billion in total losses, according to The Yankee Group. The Boston-based consulting firm tallied each company’s lost revenues, lost market capitalization due to plunging stock prices, and the cost for systems security upgrades. One of the hackers, a Canadian teenager with the colorful handle “Mafiaboy,” was later apprehended.