Because information is the currency of modern commerce,businesses today can't effectively operate without myriadtechnologies to collect, store and transmit data on anenterprisewide basis. The growth of these technologies, however,has changed the way businesses work and added another riskmanagement concern--security risk.

While the Internet creates an important sales channel and helpsincrease productivity, it is a public domain. Criminals can targetorganizations of all sizes in search of personal or confidentialinformation. Those involved in identity theft can quickly turn anillegal profit from pilfered Social Security or credit card accountnumbers.

Given today's fluid employment environment, organizations mustalso be mindful of internal threats arising from the acts of adisgruntled employee seeking either revenge--by damaging technologyassets--or financial gain by committing computer fraud.

In addition, a directed attack on an enterprise that servesmultiple customers--such as an Internet portal, informationaggregator or financial transaction facility--can have an impactfar greater than a directed attack upon a system servicing a singleenterprise.

Historically, information security breaches have not beenreported for fear of damage to the company's reputation, but timeshave changed. Along with monetary losses, companies may face legalpenalties for nondisclosure of certain types of information understatutes and regulations enacted at federal and state levels.

For example, at the federal level, the 1996 Health InsurancePortability and Accountability Act and the 1999 Graham-Leach-BlileyAct impose new information-security standards for health careproviders, insurers and financial institutions holding personalinformation.

The 2002 Sarbanes-Oxley Act puts new disclosure burdens (many ofwhich apply to data integrity) on directors and officers of publiccompanies, and several data privacy laws are under consideration byCongress. In addition, at least 20 states have statutes thatrequire consumer notification following a security breach.

For companies whose security proves inadequate, the consequencescan be disastrous. Last July, credit card payment processingcompany CardSystems Solutions said it faced "imminent extinction"after data for 239,000 accounts was removed from its system.Details of 40 million cards were exposed to possible misuse. Thebreach led two major credit card companies to break off theirbusiness relationships with CardSystems.

Large companies with data-intensive operations are not the onlyones at risk. Any organization can have security breaches, and theycan be costly. Each year, the Federal Bureau of Investigation andthe Computer Security Institute conduct a Computer Crime andSecurity Survey of data security professionals at variouscorporations, medical institutions, government agencies andeducational organizations in the United States.

Last year's survey indicated a marked shift in computer crimetoward theft of personal or confidential information. The survey's700 respondents reported that the average financial cost ofunauthorized access to information rose nearly sixfold last year tomore than $300,000 from the prior year.

Expenses associated with this type of computer crime may includeinvestigation costs, notifying customers of a potential securitybreach and addressing a system's vulnerability.

Unlike more traditional perils such as fire or wind, whereestablished risk management standards and principles can beimplemented to reduce exposure to loss, no widely availablestandards apply to information security. Each organization is leftto establish its own risk-management procedures.

To date, this approach has produced mixed results, principallydue to the complex and varied nature of computer and networktechnologies.

An effective information-security policy combines properlydeployed technology and strong management measures. In addition,high-risk organizations especially, such as financial institutionsand health care providers, must be aware of and comply with anyapplicable data-security statutes or regulations.

Organizations able to demonstrate effective data-securitycontrols might be able to purchase additional levels of insuranceprotection beyond what is presently afforded by commercial crime,general liability and property insurance policies. Buyers should bemindful that many insurers uncomfortable with the exposure nolonger provide coverage for data-security exposures in standardpolicies.

Some insurers offer custom-tailored protection for data-securityexposures in one of two ways. Lines of insurance such as directorsand officers liability, errors and omissions, or professionalliability provide insurance platforms that may effectively addressthis exposure.

This approach is well suited for most companies, because dataprotection is a core business activity, similar to financialaccounting and human-resources management, and coverage iscontemplated in many of these liability products. Be aware,however, that insurers may exclude data-security exposures fromthese products, as well.

The other approach is to offer separate protection for the wholespectrum of data-security risks under a "cyber" or data-protectioninsurance policy. Typically, these policies are purchased byorganizations with a high level of risk and may require independentsecurity assessments as part of the underwriting process.

Even the most stringent security measures can't prevent alllosses. Smart companies manage their exposures and ensure they haveadequate insurance to protect against a breach of informationsecurity. In today's world, a company can't afford not to protectitself from the loss of the information it needs to stay inbusiness.