Agents Valuable In E-Risk Education

International Editor

Many insurance buyers in the small to middle market arena do notunderstand their exposures to e-risks and rely on their agents andbrokers to explain where theyre exposed, the coverage they need tobuy, and how to mitigate risks, according to cyber experts.

“I think there is a major role that agents can play either as riskmanagers or in getting companies to better manage e-risk,” saidAaron Latto, e-commerce underwriting director in St. PaulsTechnology Business Unit in St. Paul, Minn.

Indeed, helping clients with e-risks is an area that will helpagents distinguish themselves from another agent down the street,he said, noting that its a shared responsibility of agents andinsurance companies “to get everybody up to speed on thetopic.”

Each year, he added, more and more agents are embracing e-riskas being “in the set of standard risks that they need to thinkabout when giving good advice to a client.”

But the agent needs to be prepared to walk the client throughthe thought process, he said.

“First of all, agents need to raise the whole issue of e-riskwith the risk manager [or insurance buyer or finance person]because a lot of times its not even on the table,” he said.

The agent can say to the client that its important to thinkabout the risk and at least talk about where the buyers operationsmay be exposed, he added.

David ONeill, vice president, e-Business Solutions, Zurich NorthAmerica, Baltimore, affirmed the first step in the risk managementprocess is awareness.

“A lot of people in the past thought, Hey, we dont really sellanything online,” he said. “Thats completely wrong. Its not onlyabout online sales, although that can be part of it.”

Once a company has a network and has “connectivity to theoutside worldthe most rudimentary form being e-mailit has exposure”and could be hit financially if its systems go down, Mr. ONeillsaid.

“One of the things that were seeing is a growing reliance ofeven the smallest entity upon their computer systems,” said RobertParisi, chief underwriting officer for American InternationalGroups eBusiness Risk Solutions unit in New York.

Mr. ONeill said another step in the risk management process isrisk assessment, which involves understanding the causes and lossesrelated to their exposures. Then once the assessment is complete,Mr. ONeill said its important to categorize exposures. “Somecompanies may want to self-insure and some may want to transfer therisk.”

If the client wants to transfer the risk, then the risk handlingmust be ascertained, he continued. “Do you want to do that with aninsurance policy? Do you want to try to rely upon your existinginsurance policies for coverage?”

He emphasized, however, that while some people tend to believethey have coverage with other policies this may not be the case anda standalone e-commerce policy may provide more certainty in thecoverage.

Chris Cotterell, director of Safeonline, a London-based brokerand wholesaler with an office in Mason, Mich., said its importantthat a companys e-risk is properly assessed so the right coveragecan be purchased. For example, a company with simple e-mail access,which is only exposed to e-mail liability and e-mail abuse, wontwant to buy the same coverage as a company that sells products orservices online or one that relies totally on the Internet for itsbusiness.

Mr. ONeill said another step in the risk management process isloss control (a process that is facilitated initially via asecurity check provided by some carriers, including Zurich,online).

“Depending upon how extensive the network is, we would alsorequire an independent third party IT (information technology)security audit,” Mr. ONeill said. “The goal for us is to have asmuch information [as we can] so we can put our hands around theexposure and to structure the best insurance policy we can.”

In the loss control area, St. Pauls Mr. Latto said the agent canhelp the risk manager and the company view e-risk not just as atechnical issue.

“Its not just for propeller-head software coders in the backroomconfiguring the firewalls,” he said. “Its about softer issues too,like employee awareness and training, and the development ofcorporate policy to guide employee conduct in use of computerinternet e-mail resources.”

While there are some technical aspects connected to those kindsof programs, theyre principally “educational and communicational,”he said. “Lets say you go out and spend $1 million on the latestsecurity-related IT infrastructure and you think youre all set. Ifyouve got employees doing stupid things like not securing theirworkstations at night or using dumb passwords, it doesnt matterthat youve spent that money. You might as well not even have thesecurity system.”

He said its akin to getting a steel reinforced front door andfailing to lock it. “You might as well have a screen door.”

Mr. Latto noted that agents can also help break down the silosthat tend to exist between risk management, insurance people or thefinance people on the one side of the company and the IT people onthe other side of the company.

“Our studies have found that there tend to be those silos incompanies and that the people in the silos tend not to talk to eachother and tend not to work together, even though at the end of theday theyre really doing the same thingthat is protecting thecompany against risk and loss and lawsuits and down time, etc.,” hecontended.

The agent can help the client see that e-risk is a seniorexecutive or a boardroom level issue, he suggested, given therecent emphasis on corporate governance and the greater personalaccountability of executives and board members.

Mr. ONeill at Zurich affirmed that the e-risk analysis processis very collaborative. He said that brokers should work not onlywith the people involved in insurance buying decisions at clientcompanies, but also with other people within the operation as well,such as IT professionals, who may have different views on riskmanagement when it comes to the network.

Reproduced from National Underwriter Property &Casualty/Risk & Benefits Management Edition, June 30, 2003.Copyright 2003 by The National Underwriter Company in the serialpublication. All rights reserved.Copyright in this article as anindependent work may be held by the author.