Ignore Cyber-risks At Your Peril: Experts

“Cyber-risks,” the threats posed to computer and Internet systems by hackers, viruses and other sources, are too frequent and costly to ignore, admonished security and insurance specialists at a recent forum held in New York City and Menlo Park, Calif.

Lloyd's America, Inc. of New York City and Tripwire, Inc., a provider of data and network integrity solutions based in Portland, Ore., co-sponsored the “Cyber-Risk Management for the 21st Century” forum in June. It was aimed at underwriters and risk management professionals.

Wendy Baker, president of Lloyd's America, set the tone by describing the “dramatic speed of change” in the use of new technologies–and in the corresponding risk of harm.

Comparing the growth rates of radio listeners, television viewers and Internet surfers, she said there are projections indicating that there will be over a billion Internet users by the end of the decade.

According to Morgan Stanley estimates, she said, U.S. expenditures on information technology in 2000 totaled $532 billion, representing a 23 percent increase over such expenditures in 1999.

Turning to the growing risks, she reported that the Love Bug computer virus, which affected about 45 million Internet users worldwide last year, caused financial losses the equivalent of the losses generated by the Exxon Valdez disaster in Alaska, the World Trade Center bombing, and the Chernobyl nuclear disaster combined.

She said that some of the elements of the “changing risk environment” are the new methods of conducting business, the rise of global economic enterprises unbounded by borders, increased competition, limited regulation, few guiding court decisions and “admittedly outdated insurance contracts.”

In Ms. Baker's view, the key actions to take in the e-commerce/cyberinsurance arena are identifying, assessing and managing risk.

Johnny Rowell, an underwriter and director of specialty lines for Beazley Syndicate, the largest independent managing agency at Lloyd's of London, observed that three years ago there were about six insurance companies underwriting cyber-risks. But that number has dwindled to “three or four global carriers” because it is such a volatile area, he stated.

As a result, the demand for cyber-risk coverage greatly outpaces supply, Mr. Rowell said.

John Spain, president of Information Risk Group, pointed out to National Underwriter that while many entrepreneurs have been quick to grab the benefits of global e-commerce, few have spent enough on building security systems necessary to protect themselves in the global setting. IRG, located in Raleigh, N.C., is a Pinkerton company offering IT security consulting services.

Referring to Pinkerton's annual survey of the top 10 crimes affecting Fortune 500 companies, Mr. Spain reported that computer crime, including that involving the Internet and Intranets, was in seventh place in 1999, jumping to third place in 2000 and to second place in 2001.

He attributed the lack of understanding of cyber-risks, in part, to old management views, which he said are at least 10 years behind the times.

“The old risk model that we've been using ever since the caveman” is based on proximity, Mr. Spain told those attending the forum. “Proximity says that if I can get away from my threat, then I'm safe,” he said.

But that model must yield to the fact that in today's connected, plugged-in environment, “a threat can be delivered from anywhere in the world right to your front doorif you don't have the proper security precautions” in place, he continued.

On the one hand, Mr. Spain emphasized that it is a mistake to think that cyber-liability insurance can replace good security controls.

On the other hand, he said that it would be a mistake for carriers to require companies to “unreasonably protect themselves” by building impenetrable “castles” around their assets, information and supporting technologies.

“No one would ever pass a [security] review” and no cyber-liability insurance would be sold, he observed.

Mr. Spain said that due to the varied technology deployed in organizations, a company is unlikely to have the expertise to handle all security issues internally.

But even outside security consultants and good security controls will not produce “a risk-free environment,” Mr. Spain stated. “You will always have residual risk you cant reasonably get rid of,” he warned.

Gene Kim, chief technology officer and co-founder of Tripwire, noted that computer hackers have more options at their disposal than do the companies they victimize.

He said that while hackers can modify computer viruses virtually every few minutes or even seconds, a company at best needs a week to implement a change to protect its computer systems from hackers. In fact, most organizations cannot make changes more than once per month or quarter, he said.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, September 10, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Contact Webmaster

Special Reports /

Ignore Cyber-risks At Your Peril: Experts

Related Stories

Recommended For You