Marketing 02/03

MARKETING

CYBER THEFT

Insurers provide products for growing exposures,
but more client education is needed

By Phil Zinkewicz

"U.S. companies ... need to fully address these risks--for example, failure to protect confidential information, intellectual property infringement and failure to prevent transmission of computer viruses--before they experience major financial losses."

--Bill Rohde, President,St. Paul's global technology division

In today's rapidly evolving world of e-business, a major area of concern is the frequency and severity of corporate information system breaches. Despite the efforts by companies to protect proprietary and sensitive information, system breaches continue to rise. And, when those violations occur, millions of dollars can be lost, stolen or otherwise unaccounted for. For that reason, independent agents and brokers have a responsibility to inform their clients of the exposures that exist and the coverages that the insurance industry is offering to protect them.

One case of e-fraud began after September 11, when the building that housed District Council 37 Union's credit union (Municipal Credit Union) computers was damaged, severing the credit union's computer link to the core database for several days. As a result, ATMs had no electronic safeguards to monitor ATM activity, allowing a reported 4,000 government and health workers to overdraw their accounts and stiff the credit union about $15 million.

Here are some other examples:

In Ohio, a woman was convicted and sentenced to a year and a day for computer fraud. According to court documents in the case, she and an accomplice admitted attempting to defraud Chase Manhattan Bank and Chase Financial Corp. by accessing one or more of those institutions' computer systems without authorization, thereby obtaining credit card numbers and other customer information. Then, they transmitted that information to individuals in Georgia, who used the information to obtain goods and services valued at close to $100,000. The pair admitted that the aggregate credit limits for the targeted accounts totaled approximately $580,700.

In another case, the former chief technology officer of a Manhattan-based computer consulting company was arrested for transmitting threats via the Internet to his former employer. The man charged was allegedly disgruntled over severance terms at the time he left employment. After his termination from the company, the firm began experiencing computer and telephone voice mail disruptions. Certain customers of the company were directed to pornographic telephone services. Finally, the
firm's chief executive began receiving e-greeting cards displaying voodoo dolls with skeleton-like figures.

In yet another case in California, a Sacramento man was sentenced to 27 months in prison in connection with an Internet fraud case to defraud Priceline.com and others with credit card information unlawfully obtained from a credit union employee. In addition to his jail time, the miscreant was ordered to pay $116,869.30 in restitution. There are a great many more similar cases such as those, all involving invasion of corporate computer systems.

The Computer Security Institute (CSI), established in 1974, is a San Francisco-based association of information security professionals that boasts thousands of members worldwide. Recently, the CSI released the results of its seventh annual study titled Computer Crime and Security Survey. Following are highlights of the survey, which was conducted with the participation of the San Francisco FBI's Computer Intrusion Squad and which surveyed 503 computer security practitioners in U.S. corporations:

* Ninety percent of respondents (primarily large corporations and government agencies) detected computer security breaches within the last 12 months;

* Eighty percent acknowledged financial losses due to computer breaches;

* Forty-four percent (223 companies) were willing and/or able to quantify their financial losses. These 223 respondents reported close to $456 million in financial losses;

* As in previous years, the most serious financial losses occurred through theft of proprietary information (26 respondents reported nearly $171 million) and financial fraud (25 respondents reported nearly $116 million);

* For the fifth year in a row, more respondents (74%) cited their Internet connection as a frequent point of attack than cited their internal systems as a frequent point of attack (33%).

Respondents detected a wide range of attacks and abuses. Here are some examples of attacks and abuses:

* Forty percent detected system penetration from the outside;

* Forty percent detected denial of service attacks;

* Seventy-eight percent detected employee abuse of Internet access privileges (for example, downloading pornography or pirated software, or inappropriate use of e-mail systems);

* Eighty-five percent detected computer viruses.

Patrice Rapalus, CSI director, says that this study should be a "reality check" for both industry and government. "Over its seven-year span, the survey has told a compelling story," says Rapalus. "It has underscored some of the verities of the information security profession, for example, that technology alone cannot thwart cyber attacks and that there is a need for greater cooperation between the private sector and the government. It has also challenged some of the profession's conventional wisdom, for example, that the threat from inside the organization is far greater than the threat from outside the organization and that most hack attacks are perpetrated by juveniles on joy rides in cyberspace.

"There is much more illegal and unauthorized activity going on in cyberspace than corporations admit to their clients, stockholders and business partners or report to law enforcement," continues Rapalus. "Incidents are widespread, costly and commonplace."

Another survey, released last summer by The St. Paul Companies, also showed that U.S. businesses continue to underestimate the risks involved in e-commerce. The survey of a combined total of 501 information technology (IT) managers and corporate risk managers responsible for their firm's insurance coverages indicated that, although companies continue to invest in IT security and rely on anti-virus software and other technological protection, risk managers are "out of the loop" when it comes to assessing their companies' Internet liability risks. Additionally, the survey showed that there is a widespread conflict between risk managers and IT managers on this issue.

"Clearly, U.S. companies continue to underestimate these risks," says Bill Rohde, president of global technology for St. Paul. "They need to fully address these risks--for example, failure to protect confidential information, intellectual property infringement and failure to prevent transmission of computer viruses--before they experience major financial losses."

The insurance coverages that St. Paul offers in the area of cyber exposures, according to Aaron Latto, director of the technology unit of St. Paul, include: "Internet Liability Protection" and "Networker." Internet Liability Protection offers coverage to insureds against losses emanating from a third-party liability situation, such as a virus that is transmitted from the insured company to an outside company. In addition, it covers an insured for failure to protect private and confidential information. Networker is a first-party program that provides coverage for losses such as denial of information and certain types of hackers that cause damage to the insured's computer information systems.

"Risk managers and IT managers must come to the realization that they have to work together to adequately protect the companies they work for," says Latto. "IT managers tend to depend upon sophisticated security software systems to protect their companies against cyber loss. Such systems certainly have a place in cyber risk management, but risk managers must be aware that insurance coverages have an important place as well."

"The Internet has spun a whole new web of liability exposures," says David Hilgen, a spokesman for Chubb Specialty Insurance. "Privately owned companies that venture onto the World Wide Web face liability exposures that are emerging, evolving and complex. Commercial companies that disseminate information to the public via Web sites face the same legal exposures as publishers, yet most have little or no concept of their resulting legal liabilities."

Chubb is among those companies that offer insurance products specifically designed to address those liabilities. Chubb's "Power Source Internet Liability Insurance" program and the company's "ForeFront Portfolio Internet Liability Insurance" program both offer coverage for such exposures as alleged negligent acts, errors or omissions in connection with an insured's Internet activities, media exposures faced by companies operating in an online environment, protection for directors and officers, board managers or management committee members.

"Chubb spares businesses the worry of selecting qualified legal assistance and helps manage a strong defense by assigning expert, seasoned counsel, dedicated to securing a positive outcome," says Hilgen.

David O'Neill, vice president of
e-Business Solutions at Zurich North America, says that Zurich's "E-Risk Edge" program protects companies against such exposures as: unauthorized use of a firm's data or software; computer viruses that damage or impair a firm's data or covered systems; attacks on systems that result in the inability to perform or gain access to e-business activities; theft of money, securities, data, software or computer resources; and
e-business extortion. The program also covers libel, slander, disparagement, copyright infringement and public disclosure of private information.

"We all read about companies that have breaches in their systems that come from the outside," says O'Neill. "There are the young people who infiltrate a system just for fun, and disgruntled employees who want to get even with their bosses, intentionally causing damage to the firm's computer systems. But the fact of the matter is there can be significant breaches that come from inside the firm as well. Someone might send an e-mail that contains a virus that can cause damage. Perhaps a new employee has installed an anti-virus software package incorrectly. There are a great many things that can go blip in the night."

O'Neill says that Zurich itself had a problem with a virus last year. He said the company investigated the problem and decided to cut off all employee use of e-mails with the exception of the company's own corporate e-mail system. "Some companies allow employees to use other e-mail systems," he says, "and that's their choice. But they should realize that they are increasing their exposure to viruses. We believe that controlling the flow of e-mail is very important."

The Zurich executive says that the company underwrites e-business risks extremely carefully. "We want to know as much about a company's technology as possible. We want to know if a company has an IT policy in place. We ask about the firm's employees. Have the employees been scrutinized properly? Do they have the proper credentials to use the company's systems? Does the company have outside people using the system? Sometimes companies have employees who work in remote locations. How do they get in or out of the system? Does the company periodically change passwords? Sometimes, we ask the company to have an independent technology audit done before we insure them."

O'Neill describes the difference between traditional insurance coverages and the specialized coverages of E-Risk Edge. For example, traditional business interruption insurance usually requires direct physical damage of loss to tangible property, he says. E-Risk Edge protects against lost income that results from covered e-business related losses. "For example, when a company's network is subject to a denial of service attack or is infected by a virus. It also
covers extra expenses related to the
e-business interruption, including part of the cost of investigating the reason for the interruption," says O'Neill.

For businesses that are dependent on other product or service providers, traditional insurance covers only a company's business and assets. "With E-Risk Edge, a firm gets broad coverage for lost business income as a result of a problem at vendors of goods and services that are critical to the firm's business," says O'Neill.

The Zurich executive summed up this way: "The electronic transfer and storage of information has become a basic tool for doing business faster and smarter. We've become so comfortable using electronic tools that we sometimes underestimate the risks they bring with them. IT people are beginning to realize that they need specialized, tailor-made insurance coverages, and that's what we're offering. We want to 'partner' with corporate America in terms of protecting
its technology." *