Ignore Cyber-risks At Your Peril: Experts

|

“Cyber-risks,” the threats posed to computer and Internetsystems by hackers, viruses and other sources, are too frequent andcostly to ignore, admonished security and insurance specialists ata recent forum held in New York City and Menlo Park, Calif.

|

Lloyd's America, Inc. of New York City and Tripwire, Inc., aprovider of data and network integrity solutions based in Portland,Ore., co-sponsored the “Cyber-Risk Management for the 21st Century”forum in June. It was aimed at underwriters and risk managementprofessionals.

|

Wendy Baker, president of Lloyd's America, set the tone bydescribing the “dramatic speed of change” in the use of newtechnologies–and in the corresponding risk of harm.

|

Comparing the growth rates of radio listeners, televisionviewers and Internet surfers, she said there are projectionsindicating that there will be over a billion Internet users by theend of the decade.

|

According to Morgan Stanley estimates, she said, U.S.expenditures on information technology in 2000 totaled $532billion, representing a 23 percent increase over such expendituresin 1999.

|

Turning to the growing risks, she reported that the Love Bugcomputer virus, which affected about 45 million Internet usersworldwide last year, caused financial losses the equivalent of thelosses generated by the Exxon Valdez disaster in Alaska, the WorldTrade Center bombing, and the Chernobyl nuclear disastercombined.

|

She said that some of the elements of the “changing riskenvironment” are the new methods of conducting business, the riseof global economic enterprises unbounded by borders, increasedcompetition, limited regulation, few guiding court decisions and“admittedly outdated insurance contracts.”

|

In Ms. Baker's view, the key actions to take in thee-commerce/cyberinsurance arena are identifying, assessing andmanaging risk.

|

Johnny Rowell, an underwriter and director of specialty linesfor Beazley Syndicate, the largest independent managing agency atLloyd's of London, observed that three years ago there were aboutsix insurance companies underwriting cyber-risks. But that numberhas dwindled to “three or four global carriers” because it is sucha volatile area, he stated.

|

As a result, the demand for cyber-risk coverage greatly outpacessupply, Mr. Rowell said.

|

John Spain, president of Information Risk Group, pointed out toNational Underwriter that while many entrepreneurs havebeen quick to grab the benefits of global e-commerce, few havespent enough on building security systems necessary to protectthemselves in the global setting. IRG, located in Raleigh, N.C., isa Pinkerton company offering IT security consulting services.

|

Referring to Pinkerton's annual survey of the top 10 crimesaffecting Fortune 500 companies, Mr. Spain reported that computercrime, including that involving the Internet and Intranets, was inseventh place in 1999, jumping to third place in 2000 and to secondplace in 2001.

|

He attributed the lack of understanding of cyber-risks, in part,to old management views, which he said are at least 10 years behindthe times.

|

“The old risk model that we've been using ever since thecaveman” is based on proximity, Mr. Spain told those attending theforum. “Proximity says that if I can get away from my threat, thenI'm safe,” he said.

|

But that model must yield to the fact that in today's connected,plugged-in environment, “a threat can be delivered from anywhere inthe world right to your front doorif you don't have the propersecurity precautions” in place, he continued.

|

On the one hand, Mr. Spain emphasized that it is a mistake tothink that cyber-liability insurance can replace good securitycontrols.

|

On the other hand, he said that it would be a mistake forcarriers to require companies to “unreasonably protect themselves”by building impenetrable “castles” around their assets, informationand supporting technologies.

|

“No one would ever pass a [security] review” and nocyber-liability insurance would be sold, he observed.

|

Mr. Spain said that due to the varied technology deployed inorganizations, a company is unlikely to have the expertise tohandle all security issues internally.

|

But even outside security consultants and good security controlswill not produce “a risk-free environment,” Mr. Spain stated. “Youwill always have residual risk you cant reasonably get rid of,” hewarned.

|

Gene Kim, chief technology officer and co-founder of Tripwire,noted that computer hackers have more options at their disposalthan do the companies they victimize.

|

He said that while hackers can modify computer viruses virtuallyevery few minutes or even seconds, a company at best needs a weekto implement a change to protect its computer systems from hackers.In fact, most organizations cannot make changes more than once permonth or quarter, he said.


Reproduced from National Underwriter Property &Casualty/Risk & Benefits Management Edition, September 10,2001. Copyright 2001 by The National Underwriter Company in theserial publication. All rights reserved.Copyright in this articleas an independent work may be held by the author.


Contact Webmaster

Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader

  • All PropertyCasualty360.com news coverage, best practices, and in-depth analysis.
  • Educational webcasts, resources from industry leaders, and informative newsletters.
  • Other award-winning websites including BenefitsPRO.com and ThinkAdvisor.com.
NOT FOR REPRINT

© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.