Firms' hacking-related insurance costs soar

[InfoSec News <isn () c4i org>]

http://www.usatoday.com/money/industries/technology/2003-02-09-hacker_x.htm

By Jon Swartz
USA TODAY
2/9/2003 

SAN FRANCISCO -- Computer worms and viruses cost companies time and
cleanup costs - and now higher insurance premiums.

Many insurance companies - overwhelmed with hacking-related claims the
past two years - have sliced hacking losses from general-liability
policies, forcing companies to spend extra for "network risk
insurance," which costs about $5,000 to $30,000 a year for $1 million
in coverage.

"Insurers are delivering an ultimatum: Invest in stand-alone hacker
policies or go unprotected," says corporate attorney Bob Steinberg.

That's a dangerous proposition. Losses from computer crime are
expected to soar 25% to $2.8 billion in the USA this year, says market
researcher TruSecure.

Successful Web-site attacks nearly doubled to 600 a day. Hacker
insurance is expected to jump from a $100 million market today to $900
million by 2005, market researcher Gartner says. That may result in
higher costs for consumers as the cost of doing business goes up.

"Hacker insurance will be ubiquitous in a few years," says Bruce
Schneier, chief technology officer of Counterpane Internet Security.  
"You can't budget for the next computer worm, but insurance is a fixed
cost that reduces risk."

The threat of computer worms such as Slammer, which recently clogged
global Internet traffic, underscores Corporate America's growing
dependence on the Internet and the vulnerability of its computer
networks.

The Code Red worm in 2001 caused an estimated $2 billion in damages
and cleanup costs.

Such security breaches prompted the government in September to urge
companies to insure against losses and for insurance companies to
offer more cyber-risk policies as part of its "National Strategy to
Secure Cyberspace" plan.

As technology grows more complex and creates security holes, companies
would "have to disconnect every PC to be safe," says Ron Ben-Natan,
chief technology officer at security firm Guardium.

Until recently, companies relied on general liability policies to
cover data losses from computer theft and stolen trade secrets.

But with the spread of viruses and worms - which electronically damage
computer data from remote locations - companies increasingly were
forced to sue insurance providers to collect. That prompted more
stand-alone policies from some of the biggest insurers, including:

* American International Group, the largest network-security insurer,
  recently created stand-alone coverage for viruses and credit card
  and ID theft.

* Hiscox, a Lloyd's of London syndicate, last year initiated a policy
  for telecommunications, media and technology companies that covers
  virus and hacker losses.

* Chubb now offers financial institutions a policy for "e-theft,
  e-vandalism and e-extortion."

* Zurich North America, in one plan last year, added a reward for
  information leading to the conviction of cyberterrorists.

In addition to the premium, companies have to pay upfront to have
their networks assessed. That can cost thousands. And hacker insurance
isn't entirely foolproof, security experts warn. Some coverage is
limited and may not cover sophisticated worms and viruses that have
yet to surface.

"It may take a few years for insurance providers to shore up holes,"  
Steinberg says.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.