Got Cyber Insurance?

August 21, 2000 (Computerworld) Thanks to a crippling series of computer attacks in 1998, Seattle-based Viznet Inc., an online merchant exchange network service provider once valued at $1 million, is now selling off its customer lists for $50,000. The worst damage occurred when the attacker spammed Viznet's 90 merchant customers, claiming Viznet was a cover for a pedophile ring. The attacker, a former programmer at the company, knew that the wife of owner/operator Jim Vizner owned a day care center.
Vizner calculates that direct losses - denials of service, replacing data that was chewed off the hard drives, customer attrition and public relations costs - amounted to $340,000. As those losses piled up, he called his insurance company.

			Read the Fine Print Because security liability insurance is so new, attorneys and buyers suggest that before you buy a policy, have someone - preferably an insurance or technical attorney - go over it with a fine-tooth comb. Some questions to ask: • Does the policy cover all areas of risk, indirect and direct damages incurred from carelessness and attacks, and viruses from within and without? • Does the insurer require a thorough security assessment? Can you get competitive bids? How does its criteria stand up against those of others? • How often does the insurer perform cybersecurity "inspections"? • Does the insurance policy pass the review of an IT and/or insurance attorney?

That ended up costing him the most dearly - 18 months of his life spent away from the languishing Viznet while he battled with the insurance company and visited insurance regulatory agents and attorneys. No payout on benefits ever materialized. And now, all his calls to the insurer are referred to an attorney.
"My business is gone. My wife's business is gone. Now, I just hope we can hold on to our house," says a disheartened Vizner.
Vizner could have protected his company with cyberliability insurance. The problem is, such insurance wasn't even around when the attacks started. Even if it had been, it would have been expensive. The average entry point for such policies is around $20,000 per year, with high deductibles.
Traditional Policy Exclusions
Insurance companies can't very well apply brick-and-mortar costing and actuaries that were framed in the 1960s to digitized assets. They're still answering some tough questions: How do you determine the value of the data at risk? How do you conduct "cyber" inspections? And how do you determine acceptable risk levels, let alone evaluate losses?
"Insurance companies, like all industries, are just now coming to grips with the real impact of technology among their clients," says Jim Bond, a technology attorney at law firm Gowling, Strathy & Henderson (www.gowlings.com) in Ottawa. What Bond means, in layman's terms, is that traditional business-liability policies won't even touch cyberdamages because, as the risk model stands now, the insurance companies will lose their shirts.
To fill this gap, a handful of specialty insurers have emerged in the past 18 months. The biggest players in this space include Insuretrust.com LLC in Atlanta (www.insuretrust.com), Hamilton, Bermuda-based Ace Ltd.'s information technology products group (www.acelimited.com) and Okemos, Mich.-based J. S. Wurzler Underwriting Managers Inc.'s Website Insurance & Security Program (www.jswum.com).
But these specialty offerings are expensive. And Vizner says he, like millions of other small business owners, simply can't afford the premiums.
That leaves people like Vizner, who's now developing an online credit-card and shopping-cart services business, with only one other option: self-insurance. That means managing risk by building strong security into the infrastructure itself - a task Vizner has hired some top security talent to handle. And it also means establishing a slush fund to cover repair costs should an attacker wreak such havoc again.
"We're going to outline our new organization to provide our own first line of defense. After all, it's the smaller companies who use some of the best software to minimize these attacks," says Vizner.
That's not to say Viznet's systems were insecure to begin with. No reasonable amount of security would have protected the firm, because it was attacked by an insider with intimate knowledge of the systems. Christopher Bisciglia, who was 18 at the time of the attacks, pleaded guilty in a Washington court in June to unauthorized access and computer damage at Viznet. He could go to prison for up to a year and be fined $100,000.
Bisciglia, a former employee whom Vizner says was "brilliant" in developing his company's proprietary applications in a powerful Web content development tool, had built his own back doors and booby traps. Vizner is awaiting Bisciglia's sentencing before deciding whether to file a civil suit against him.
This type of internal threat is why Stephen Furst, president and chief operating officer at Djangos.com, which sells CDs and videos over the Internet and at eight retail outlets nationwide, decided to buy security liability insurance. But Furst, who has 25 years of intellectual property to protect in addition to Djangos, says he can't afford not to take out cyberliability insurance.
"In our case, we're a fully integrated click-and-brick. Our entire network - distribution, store offices, point-of-sale terminals and customer kiosks - is integrated with our stores. Everything is browser based," Furst says. "We have a lot more at risk than just a Web site going down."
But Furst, who looked at two insurers before choosing Insuretrust.com, wouldn't have bought any cyberinsurance without an attorney's review of the fine print, he adds.
Similarly, insurers won't take on any cyberliability without assessing risk. That's why these emerging cyberliability insurance carriers first require network security evaluations and, if necessary, some security cleanup work before issuing policies. The good thing about these evaluations is that they may eventually lead to standardized security models and standards of acceptable risk, says David Tapper, an analyst at International Data Corp. in Framingham, Mass.
And such standardization should help both customers and insurers, according to Jonathan D. Gale, deputy underwriter and director at R. F. Bailey Ltd., one of 120 underwriting agencies for Lloyd's of London (Lloyd's backs J. S. Wurzler's policies). "Our rating is based on the comprehensiveness of the engineering and audits. If the engineering firms do their jobs properly, there should be no losses," Gale says.
Already, Furst considers his company's $20,000 security evaluation the most important part of the insurance process. Like Vizner, Furst says the best risk management begins with good physical and logical protection. "The study covered every facet - from hiring practices at our stores [to] corporate and IT [to] database access controls and protocols to the locks on the doors," he says.
Buddy System
To further reduce their risk, insurers are also buddying up with security services companies, which handle ongoing audits and, in some cases, outsourced security services.
For example, J. S. Wurzler recently announced a partnership with Hewlett-Packard Co.'s Mission Critical Services group through which Interex (the International Association of Hewlett-Packard Computing Professionals) in Sunnyvale, Calif., will sell e-commerce insurance to HP customers.
In addition to HP, Internet Security Systems Inc. in Atlanta (www.iss.net); IBM Global Services (www.ibm.com); Counterpane Internet Security Inc. in San Jose (www.counterpane.com); Rockville, Md.-based Axent Technologies Inc. (www.axent.com), which recently agreed to be acquired by Symantec Corp.; and Comstar.net Inc., a business-hosting Internet service provider in Atlanta, offer security insurance policies bundled with other services, says Tapper.
Tapper says security liability insurance is taking off fastest in such services companies, but buyers like Furst and Vizner say they would prefer lower-cost, all-inclusive business policies to cover the bricks-and-clicks.
J. S. Wurzler is already looking into establishing a single insurance policy that covers the physical (fire, burglary and others) and the logical (data recovery and online business) aspects of business, says CEO John S. Wurzler.
Ace is also taking a serious look at developing a single business policy program, according to Mark Greisiger, director of business development for Ace's IT products group. "[Cyberliability is] a stand-alone policy right now because it takes a high degree of engineering knowledge to underwrite these things," he says. "In a couple years, the trend will be that IT insurance will become part of our standard coverage, because every one of our business clients has some e-business."
If a uniform level of protection and risk model is met, data protection insurance should become more feasible, says Tapper. Maybe then, small-business owners like Vizner can do more than manage their own risk. Because more than anyone, he knows what can happen when you're unprotected.