HACKING IT: Insurers are racing to provide coverage for a range of cyberrisks. But does the protection go far enough?

[InfoSec News <isn () C4I ORG>]

http://www.cfonet.com/html/Articles/CFO/2000/00AUhack.html

CFO Magazine August 2000

By Russ Banham

ECharge Corp. believes it has a great value proposition: offer a
secure way for online companies to accept payments with absolutely no
chance personal information can be stolen or fraudulently used, and
back it up with a guarantee. But no matter how good a service might
be, guarantees entail some risk. "There's always the possibility that
some little thing could fall through the cracks and cause a
catastrophic event," concedes Mark Tremont, CFO and chief operating
officer at the Seattle-based company.

So eCharge did what lots of other online companies are doing. It
bought cyberinsurance. "If the security or privacy of our Web site or
network were compromised, it would blemish our brand and cause
irreparable harm," Tremont explains. "So our feeling was, let's not
spend time thinking about this; let's protect our capital investors
and buy an insurance policy."

Cyberinsurance is the hottest sector in the insurance industry, an
entirely new line of products that barely existed two years ago. Back
then, most insurers were loath to use their capital to absorb
corporate cyberrisks, a little-understood panoply of potentially
devastating financial exposures. Only one underwriting agency,
Insuretrust.com LLC (then known as Network Risk Management Services),
offered specific online risk transfer products in the spring of 1997.
However, coverage was offered only to Web sites, and rates were high.

But as the Internet E-commerce revolution took shape, demand for
cyberinsurance burgeoned. More insurers entered the market, driving
down prices, broadening coverages, and increasing overall protection
limits. The result, says Adam McDonough, senior vice president at
Willis Insurance Services, in San Francisco, is that "we're in the
midst of a warming trend. The user unfriendliness that characterized
this product is fast disappearing. [Consequently], corporate
purchasers should focus on covering their liabilities to others
resulting from a security breach to their network--for instance,
sensitive data falling into the wrong hands, contaminated or destroyed
data resulting in financial loss to customers, a denial-of-service
attack leading to delayed or lost orders, and so on. Limits to
consider will vary widely, depending on the nature of operations, but
$5 million to $20 million is a good start."

Cyberattacks

Demand for cyberinsurance has exploded in the wake of three major
cybersecurity breaches in the past six months. The first involved the
penetration of CD Universe by a hacker dubbed "Maxus," who stole some
300,000 customer credit card numbers. Maxus demanded a ransom payment
of $100,000 to return the numbers, and made good on his threat to
release them to the public when the online music retailer balked. He
has yet to be apprehended.

The second breach was the notorious denial-of-service attacks in
February against Yahoo, Ebay, Amazon.com, and other popular Web sites.
The hackings shut down the sites for several hours, causing more than
$1.2 billion in total losses, according to The Yankee Group. The
Boston-based consulting firm tallied each company's lost revenues,
lost market capitalization due to plunging stock prices, and the cost
for systems security upgrades. One of the hackers, a Canadian teenager
with the colorful handle "Mafiaboy," was later apprehended.

The third breach is really a series of breaches: the recent plague of
E-mail viruses that infected systems and networks around the globe.
They include the infamous Love Bug and the so-called rsum killer.

Each of the attacks showed the vulnerability not just of online
businesses but of all businesses, deepening the awareness of
E-commerce risk. And while most property/casualty policies failed to
cover that risk, several major and more than a few minor insurers have
moved to fill the void, including Lloyd's of London, Zurich Insurance
Group, and Chubb Group of Insurance Cos.

"The new policies made their debut at the beginning of the year, a few
weeks before the well-publicized security breaches," says McDonough.
"The insurers' timing was perfect. All the publicity given the
hackings has translated into tremendous interest."

The policies are roughly comparable, covering a variety of similar
exposures. AIG's NetAdvantage Program, for example, addresses a host
of E-commerce disruptions, including cyberextortion, content
defamation, copyright and trademark infringement, denial-of-service
attacks, viruses, theft of information, and destruction or alteration
of data. The insurer also offers rewards for information leading to
the apprehension of hackers and expense reimbursement for post-hacking
crisis-management activities.

Cyberinsurance policy costs vary widely, however, depending on the
size and type of company insured. That said, costs have come down,
from $45,000 to $50,000 for a million dollars in coverage a year ago
for a large company to about $15,000 to $25,000 today, McDonough says.
"As more capacity enters the market in the form of new competitors,
and loss experience continues to be positive," he says, "pricing will
certainly fall to the point where coverage becomes affordable for
smaller and midsize companies."

Barriers To Entry

Widespread adoption of cyberinsurance has been hampered by insurers'
insistence (as a precondition to coverage) that policy applicants
undergo a rigorous security assessment by a third-party technology
security firm. The process takes time, and is invasive (the security
firms perform on-site technology audits and so-called ethical
hackings, in which they attempt to penetrate a client's system to see
if, or more likely how, it could be done) and expensive, with the
entire cost borne by the applicant. The cost of the security audit can
run into the tens of thousands of dollars for start-up dot-coms with
no security track records--and that's before tacking on an insurance
premium.

Take the case of AlphaTrust Corp., which was put through its paces
last fall by Insuretrust. "Our security assessment cost us about
$20,000," says Bill Brice, CEO of the Dallas-based electronic
signature firm, "but we feel the cost was worth it. We provide
technology that enables secure transactions to take place between
online businesses. If someone were to access the digital credentials
of one of our users to make a fraudulent transaction, it would erode
our brand. Although the chance of this is exceedingly remote, you
never know."

So AlphaTrust decided to make sure its "fraud-free" warranty to
customers was backed up by appropriate insurance. "We went through a
detailed 'top to bottom' physical and technical analysis of our
security, networks, and procedures," Brice says, noting that the
company would have undertaken this analysis on its own, had not its
insurer required it. "It validated our entire architecture," he
explains.

Atlanta-based LockBox Communications Inc. also paid for the security
assessment required by insurance broker Marsh, which offers NetSecure,
a suite of cyberinsurance policies backed by several insurers'
capital. The assessment can have value beyond the mere vetting of a
potential client. Marsh uses a third party, Internet Security Systems
(ISS), also based in Atlanta, and when the audit was complete, LockBox
CFO Chris Williams says, "they came back with a few suggestions, which
were helpful and which we implemented. As part of our coverage, ISS
will provide ongoing monitoring of our security processes." Williams
wanted the testing at least as much as the insurance itself. "We're
still waiting to see how much it will cost, and so far things look
good," he says. "There's no way I'm going to go bare [without
insurance]. But the audit is just as valuable."

Other companies, however, balked at paying for the required security
audit. "We were talking with Marsh last fall about our need for
cyberinsurance, when they said we had to undertake a $25,000 security
assessment," says Bill Pedersen, CFO of Milliman & Robertson, a
Seattle-based firm of consulting actuaries and health-care management
professionals. "They presented such a list of hurdles we'd have to
surmount, in terms of an audit, that we decided to go bare. Plus, they
were asking way too much."

Milliman & Robertson created a Web site last year to sell online
continuing medical education (CME) courses to physicians, and wanted
insurance to absorb the risk of customer credit card theft. "We wanted
to make sure we had financial protection in the event an unauthorized
individual used our Web site to gain access to internal networks and
customer data," says Pedersen. "At the end of the day, given the cost
of the underwriting audit, we decided to absorb this liability through
prudent risk management." So the firm added some monitoring tools to
the site, as well as Web security solutions.

An End to Audits?

But as competition heats up, McDonough says, expensive audits are
beginning to fall by the wayside. "Underwriters are realizing they
have to take a certain amount of information on faith--that their
clients know what they're doing, have a good track record, and can
show in laymen's terms that they're secure," he says.

AIG is among those companies moderating their stringent underwriting
stance. The New Yorkbased insurer recently introduced a three-level
underwriting process. The first level involves an online application,
and, if the company passes relevant underwriting criteria, a
conditional premium quote is provided within two days at no cost to
the applicant.

The second level involves an online assessment, in which the applicant
completes a security questionnaire and the insurer's
technology-security partners (companies that include IBM, RSA
Security, and Global Integrity Corp.) evaluate the applicant's
security remotely, a cheaper alternative than an on-site audit. The
third level calls for the full-bore customary physical assessment.

Caveats And Caviling

A less-stringent underwriting process may not be appropriate for all
companies, however. "A remote scan of a company's security doesn't
deal with the human-element issues, which are really the major
issues," says Steven Haase, CEO of Insuretrust.com. "You need someone
to examine the business model, policies, and procedures, in addition
to scanning the systems. Look at it this way: lots of fires occur at
sprinklered facilities because someone shut the sprinklers off. There
is no such thing as an airtight system, because they're all dependent
upon people."

"I'd be very cautious about underwriters willing to provide insurance
without really taking a look at your procedures and policies," says
Ron Johnson, western regional manager of E-business solutions at
Zurich U.S. in San Francisco. "Insurers are trying to buy market share
by approaching E-risks like traditional insurance. But these are not
traditional exposures. There will be some really serious losses in
this market in the next month or next year. And that will scare the
pretenders away."

Such scenarios may raise questions about whether, in such a new
market, coverage levels will be sufficient. McDonough says the top
insurers offer limits of $25 million and beyond, which would be enough
to cover most losses--at least based on past types of damage.
Companies that suspect this may not be enough can stack several
insurers to achieve additional coverage. Analysts urge companies to
get their legal departments involved in approving the policies;
insurance contracts are often vague, and, given that there may emerge
heretofore unknown forms of cyberrisk, a well-written contract may be
the best defense.

Russ Banham is a contributing editor of CFO.


Point-&-Click Applications

The increasing popularity of, and competition in, cyberinsurance has
prompted several insurers to develop a more flexible underwriting
posture. Lloyd's of London, which entered the cybermarket six months
ago with a requirement that applicants submit to stringent security
audits, recently announced it would quote an insurance price to some
applicants following completion of a detailed policy application.

Ditto for confusingly named Insuredotcom.com, a Seattle-based
underwriter for Safeco Insurance Cos., also in Seattle. "We decided an
onerous underwriting strategy was scaring off buyers," says John
Sacia, president of Insuredotcom.com. So the company developed its own
online questionnaire, comprising as many as 250 queries, to divine an
applicant's vulnerability to security risks. Although the
questionnaire, typically completed by risk managers, chief information
officers, and, where warranted, legal counsels and CFOs, is dense, at
least it's free--a far cry from $25,000 security audits.

Once the questionnaire is filled out and uploaded, Insuredotcom.com
places the applicant within one of 30 risk classifications. "If you're
a new dot-com with nothing more than a portal doing a bit of
advertising but no credit card transactions, you'll be classified
quite a bit differently than, say, Amazon .com would be," says Sacia.

CFO Bill Pedersen of Milliman & Robertson has talked with Sacia and is
reconsidering his decision to go without E-insurance. "He told me we
could point-and-click our way to insurance," Pedersen says. "I've
agreed to fill out the application with my IT people so we can get an
idea of price and how comprehensive the insurance will be. Depending
on these factors, I'll make a determination whether or not to buy."
--R.B.

--------------------------------------------------------------------------------

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".