Insurers Offer Incentives To Buy Hacker Insurance

[InfoSec News <isn () C4I ORG>]

http://www.zdnet.com/intweek/stories/news/0,4164,2692341,00.html

By Robert Bryce, Interactive Week
March 5, 2001 6:39 AM ET

In the increasingly competitive hacker insurance market, American
International Group is making an offer it hopes prospective clients
won't refuse - a free, comprehensive security assessment.

AIG, the largest commercial insurance underwriter in the U.S., hopes
the free on-site security check - which ordinarily can cost tens of
thousands of dollars - will encourage more companies to buy insurance
coverage from it. AIG is one of the biggest players in a swarm of
underwriters and brokers that are rushing into the hacker insurance
market, a sector that the Insurance Information Institute estimates
could generate $2.5 billion in annual premiums by 2005.

The insurers' sales efforts are being aided by highly publicized
events such as the assault on Microsoft's Web site in January and the
more recent "Anna Kournikova" worm that tied up mail servers around
the world. Insurance industry officials said their business is
doubling every six to 12 months, as worries about hacking increase and
more information technology professionals realize their companies'
standard insurance policies don't cover risks incurred by their
Internet-based businesses.

"People aren't used to spending money on this," said Ty Sagalow, chief
operating officer at AIG eBusiness Risk Solutions. "The cost of the
insurance application [in the past] included - for almost everyone -
an on-site security assessment that would cost upward of $20,000,
whether you bought the insurance or not."

To help convince qualified prospects - applicants must be seeking $5
million or more in coverage - to buy insurance, AIG will pay
independent security firms Global Integrity and Unisys to do the
on-site assessments. The firms will do external probes and "ethical
hacking" of a prospect's Web site, as well as perform a two-day,
on-site analysis to determine what types of security problems the
company faces.

At the end of the assessment, if a prospect decides not to buy AIG's
coverage, the company can "keep the security report and assessments as
AIG's gift," Sagalow said.

Although AIG's assessment is free, some competitors expressed
skepticism. John Wurzler, chief executive and founder of J.S. Wurzler
Underwriting Managers, which specializes in Internet-related risks,
said AIG's offer may create a false sense of security among insurance
buyers.

"Security is not a product; it's a process," Wurzler said. He requires
the companies that his firm insures to do monthly security checkups.

What's Covered

Companies interested in hacker insurance can buy coverage either as a
package or la carte. Some policies only pay for risks associated with
loss or misuse of intellectual property. Others cover liability for
misuse of a company's site by a third party, or damage caused by an
outside hacker.

Premiums are generally based on a company's revenue, as well as the
type and amount of coverage being sought. Rates vary. A package policy
that covers a range of risks, including liability, loss of revenue,
errors and omissions, and virus protection, can cost $6,000 to $20,000
per year - or more - for each million dollars of coverage in the
policy.

Given the range of costs and coverage, industry officials warn
potential buyers to be wary. Some policies cover only the amount of
net income lost due to hacking. A better choice for some companies may
be coverage for lost revenue.

Numerous variables can affect premiums. Just as a buyer of auto
insurance can choose a high dollar deductible to lower the premium,
hacker insurance buyers can choose different waiting periods before
coverage begins. For instance, a policy that begins paying for
business losses just four hours after a hacker shuts down a site may
cost more than a policy that begins paying after 24 hours of downtime.
These waiting periods, called time element deductibles, are variable
and depend on the kind of business being covered and the amount of
risk a business may face.

Companies can also get substantial discounts on their policies if they
have managed service contracts with an insurer-certified security
firm.

Security assessments are critically important for both insurers and
insurance buyers. Hacker insurance is such a new product that there
are no reliable actuarial tables to determine rates. Therefore,
insurance companies rely heavily on the assessments to help them
determine the amount of risk they are taking on with a given company.

For the companies seeking insurance, assessments should help them find
- and immediately fix - holes in their defense systems.

Stiff Competition

Underwriters competing with AIG - the Chubb Group, Fidelity and
Deposit Companies, St. Paul Companies, Lloyd's of London and Wurzler -
are rolling out a fleet of new products and alliances to help them
gain market share.

Chubb recently announced new coverages designed for online banks,
brokerages and insurance companies. Wurzler has joined with
Hewlett-Packard to market its products to a select group of HP's
clients.

Insurance brokers and security firms are teaming up to sell branded
products and services.

Marsh & McClennan Companies, the world's largest insurance brokerage,
is selling insurance provided by AIG, Chubb and Lloyd's. The brokerage
relies on Internet Security Systems to do its security assessments.
Counterpane Internet Security has allied with brokers Safeonline and
Frank Crystal & Co. to provide its clients with special policies
underwritten by Lloyd's.

"It's a wildly growing market," said Michael S. Flanagan, managing
director at Silicon Insurance, a division of broker Arthur J.
Gallagher & Co. Gallagher relies on accounting giant Ernst & Young for
security assessments, and its primary underwriters are AIG, Fidelity
and Deposit and Wurzler.

Hacker insurance has "been a small market because people were waiting
for e-commerce to hit," Flanagan said. "Well, now e-commerce has hit."

Flanagan and other insurers are finding a ready market for their
products because companies with Internet operations are increasingly
under attack.

A survey done last year by the Federal Bureau of Investigation and the
Computer Security Institute, an association of computer security
personnel from the private and public sectors, found that from March
1999 to March 2000, 27 percent of the 640 governmental agencies and
businesses that responded said they experienced denial-of-service
attacks. Viruses are also wreaking havoc. Losses from last year's
"Love Bug" virus were estimated to be as high as $10 billion.

AIG's move to lower the cost of obtaining hacker insurance shows the
market is beginning to mature, industry experts said. And security
analysts hope it will encourage more Net companies to get insurance
coverage.

Companies need to "understand that getting hacked is not just an
inconvenience," said Greg Grant, director of marketing programs and
strategic alliances at ISS.

"Anything Internet-facing is a point of vulnerability. Companies can
be attacked directly or they can be used to attack someone else.
There's real exposure and liability. They need to reduce their risk,
and the only way to do that is through proper insurance," he said.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".