Information Security News mailing list archives
HACKING IT: Insurers are racing to provide coverage for a range of cyberrisks. But does the protection go far enough?
From: InfoSec News <isn () C4I ORG>
Date: Tue, 8 Aug 2000 02:55:13 -0500
http://www.cfonet.com/html/Articles/CFO/2000/00AUhack.html CFO Magazine August 2000 By Russ Banham ECharge Corp. believes it has a great value proposition: offer a secure way for online companies to accept payments with absolutely no chance personal information can be stolen or fraudulently used, and back it up with a guarantee. But no matter how good a service might be, guarantees entail some risk. "There's always the possibility that some little thing could fall through the cracks and cause a catastrophic event," concedes Mark Tremont, CFO and chief operating officer at the Seattle-based company. So eCharge did what lots of other online companies are doing. It bought cyberinsurance. "If the security or privacy of our Web site or network were compromised, it would blemish our brand and cause irreparable harm," Tremont explains. "So our feeling was, let's not spend time thinking about this; let's protect our capital investors and buy an insurance policy." Cyberinsurance is the hottest sector in the insurance industry, an entirely new line of products that barely existed two years ago. Back then, most insurers were loath to use their capital to absorb corporate cyberrisks, a little-understood panoply of potentially devastating financial exposures. Only one underwriting agency, Insuretrust.com LLC (then known as Network Risk Management Services), offered specific online risk transfer products in the spring of 1997. However, coverage was offered only to Web sites, and rates were high. But as the Internet E-commerce revolution took shape, demand for cyberinsurance burgeoned. More insurers entered the market, driving down prices, broadening coverages, and increasing overall protection limits. The result, says Adam McDonough, senior vice president at Willis Insurance Services, in San Francisco, is that "we're in the midst of a warming trend. The user unfriendliness that characterized this product is fast disappearing. [Consequently], corporate purchasers should focus on covering their liabilities to others resulting from a security breach to their network--for instance, sensitive data falling into the wrong hands, contaminated or destroyed data resulting in financial loss to customers, a denial-of-service attack leading to delayed or lost orders, and so on. Limits to consider will vary widely, depending on the nature of operations, but $5 million to $20 million is a good start." Cyberattacks Demand for cyberinsurance has exploded in the wake of three major cybersecurity breaches in the past six months. The first involved the penetration of CD Universe by a hacker dubbed "Maxus," who stole some 300,000 customer credit card numbers. Maxus demanded a ransom payment of $100,000 to return the numbers, and made good on his threat to release them to the public when the online music retailer balked. He has yet to be apprehended. The second breach was the notorious denial-of-service attacks in February against Yahoo, Ebay, Amazon.com, and other popular Web sites. The hackings shut down the sites for several hours, causing more than $1.2 billion in total losses, according to The Yankee Group. The Boston-based consulting firm tallied each company's lost revenues, lost market capitalization due to plunging stock prices, and the cost for systems security upgrades. One of the hackers, a Canadian teenager with the colorful handle "Mafiaboy," was later apprehended. The third breach is really a series of breaches: the recent plague of E-mail viruses that infected systems and networks around the globe. They include the infamous Love Bug and the so-called rsum killer. Each of the attacks showed the vulnerability not just of online businesses but of all businesses, deepening the awareness of E-commerce risk. And while most property/casualty policies failed to cover that risk, several major and more than a few minor insurers have moved to fill the void, including Lloyd's of London, Zurich Insurance Group, and Chubb Group of Insurance Cos. "The new policies made their debut at the beginning of the year, a few weeks before the well-publicized security breaches," says McDonough. "The insurers' timing was perfect. All the publicity given the hackings has translated into tremendous interest." The policies are roughly comparable, covering a variety of similar exposures. AIG's NetAdvantage Program, for example, addresses a host of E-commerce disruptions, including cyberextortion, content defamation, copyright and trademark infringement, denial-of-service attacks, viruses, theft of information, and destruction or alteration of data. The insurer also offers rewards for information leading to the apprehension of hackers and expense reimbursement for post-hacking crisis-management activities. Cyberinsurance policy costs vary widely, however, depending on the size and type of company insured. That said, costs have come down, from $45,000 to $50,000 for a million dollars in coverage a year ago for a large company to about $15,000 to $25,000 today, McDonough says. "As more capacity enters the market in the form of new competitors, and loss experience continues to be positive," he says, "pricing will certainly fall to the point where coverage becomes affordable for smaller and midsize companies." Barriers To Entry Widespread adoption of cyberinsurance has been hampered by insurers' insistence (as a precondition to coverage) that policy applicants undergo a rigorous security assessment by a third-party technology security firm. The process takes time, and is invasive (the security firms perform on-site technology audits and so-called ethical hackings, in which they attempt to penetrate a client's system to see if, or more likely how, it could be done) and expensive, with the entire cost borne by the applicant. The cost of the security audit can run into the tens of thousands of dollars for start-up dot-coms with no security track records--and that's before tacking on an insurance premium. Take the case of AlphaTrust Corp., which was put through its paces last fall by Insuretrust. "Our security assessment cost us about $20,000," says Bill Brice, CEO of the Dallas-based electronic signature firm, "but we feel the cost was worth it. We provide technology that enables secure transactions to take place between online businesses. If someone were to access the digital credentials of one of our users to make a fraudulent transaction, it would erode our brand. Although the chance of this is exceedingly remote, you never know." So AlphaTrust decided to make sure its "fraud-free" warranty to customers was backed up by appropriate insurance. "We went through a detailed 'top to bottom' physical and technical analysis of our security, networks, and procedures," Brice says, noting that the company would have undertaken this analysis on its own, had not its insurer required it. "It validated our entire architecture," he explains. Atlanta-based LockBox Communications Inc. also paid for the security assessment required by insurance broker Marsh, which offers NetSecure, a suite of cyberinsurance policies backed by several insurers' capital. The assessment can have value beyond the mere vetting of a potential client. Marsh uses a third party, Internet Security Systems (ISS), also based in Atlanta, and when the audit was complete, LockBox CFO Chris Williams says, "they came back with a few suggestions, which were helpful and which we implemented. As part of our coverage, ISS will provide ongoing monitoring of our security processes." Williams wanted the testing at least as much as the insurance itself. "We're still waiting to see how much it will cost, and so far things look good," he says. "There's no way I'm going to go bare [without insurance]. But the audit is just as valuable." Other companies, however, balked at paying for the required security audit. "We were talking with Marsh last fall about our need for cyberinsurance, when they said we had to undertake a $25,000 security assessment," says Bill Pedersen, CFO of Milliman & Robertson, a Seattle-based firm of consulting actuaries and health-care management professionals. "They presented such a list of hurdles we'd have to surmount, in terms of an audit, that we decided to go bare. Plus, they were asking way too much." Milliman & Robertson created a Web site last year to sell online continuing medical education (CME) courses to physicians, and wanted insurance to absorb the risk of customer credit card theft. "We wanted to make sure we had financial protection in the event an unauthorized individual used our Web site to gain access to internal networks and customer data," says Pedersen. "At the end of the day, given the cost of the underwriting audit, we decided to absorb this liability through prudent risk management." So the firm added some monitoring tools to the site, as well as Web security solutions. An End to Audits? But as competition heats up, McDonough says, expensive audits are beginning to fall by the wayside. "Underwriters are realizing they have to take a certain amount of information on faith--that their clients know what they're doing, have a good track record, and can show in laymen's terms that they're secure," he says. AIG is among those companies moderating their stringent underwriting stance. The New Yorkbased insurer recently introduced a three-level underwriting process. The first level involves an online application, and, if the company passes relevant underwriting criteria, a conditional premium quote is provided within two days at no cost to the applicant. The second level involves an online assessment, in which the applicant completes a security questionnaire and the insurer's technology-security partners (companies that include IBM, RSA Security, and Global Integrity Corp.) evaluate the applicant's security remotely, a cheaper alternative than an on-site audit. The third level calls for the full-bore customary physical assessment. Caveats And Caviling A less-stringent underwriting process may not be appropriate for all companies, however. "A remote scan of a company's security doesn't deal with the human-element issues, which are really the major issues," says Steven Haase, CEO of Insuretrust.com. "You need someone to examine the business model, policies, and procedures, in addition to scanning the systems. Look at it this way: lots of fires occur at sprinklered facilities because someone shut the sprinklers off. There is no such thing as an airtight system, because they're all dependent upon people." "I'd be very cautious about underwriters willing to provide insurance without really taking a look at your procedures and policies," says Ron Johnson, western regional manager of E-business solutions at Zurich U.S. in San Francisco. "Insurers are trying to buy market share by approaching E-risks like traditional insurance. But these are not traditional exposures. There will be some really serious losses in this market in the next month or next year. And that will scare the pretenders away." Such scenarios may raise questions about whether, in such a new market, coverage levels will be sufficient. McDonough says the top insurers offer limits of $25 million and beyond, which would be enough to cover most losses--at least based on past types of damage. Companies that suspect this may not be enough can stack several insurers to achieve additional coverage. Analysts urge companies to get their legal departments involved in approving the policies; insurance contracts are often vague, and, given that there may emerge heretofore unknown forms of cyberrisk, a well-written contract may be the best defense. Russ Banham is a contributing editor of CFO. Point-&-Click Applications The increasing popularity of, and competition in, cyberinsurance has prompted several insurers to develop a more flexible underwriting posture. Lloyd's of London, which entered the cybermarket six months ago with a requirement that applicants submit to stringent security audits, recently announced it would quote an insurance price to some applicants following completion of a detailed policy application. Ditto for confusingly named Insuredotcom.com, a Seattle-based underwriter for Safeco Insurance Cos., also in Seattle. "We decided an onerous underwriting strategy was scaring off buyers," says John Sacia, president of Insuredotcom.com. So the company developed its own online questionnaire, comprising as many as 250 queries, to divine an applicant's vulnerability to security risks. Although the questionnaire, typically completed by risk managers, chief information officers, and, where warranted, legal counsels and CFOs, is dense, at least it's free--a far cry from $25,000 security audits. Once the questionnaire is filled out and uploaded, Insuredotcom.com places the applicant within one of 30 risk classifications. "If you're a new dot-com with nothing more than a portal doing a bit of advertising but no credit card transactions, you'll be classified quite a bit differently than, say, Amazon .com would be," says Sacia. CFO Bill Pedersen of Milliman & Robertson has talked with Sacia and is reconsidering his decision to go without E-insurance. "He told me we could point-and-click our way to insurance," Pedersen says. "I've agreed to fill out the application with my IT people so we can get an idea of price and how comprehensive the insurance will be. Depending on these factors, I'll make a determination whether or not to buy." --R.B. -------------------------------------------------------------------------------- ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- HACKING IT: Insurers are racing to provide coverage for a range of cyberrisks. But does the protection go far enough? InfoSec News (Aug 08)