Show Me The Cyberinsurance Claims

Insurers at the conference said the majority of claims so far relate to liability for Web content. They also agreed that only about 5,000 specialty policies have been written collectively to date.

One reason copyright infringement and other media liability-type claims dominate cyber-claims files is the fact that insurers have been slower to develop first-party coverages dealing with network security issues, they said.

Still, there have been a handful of security claims affecting cyberinsurers. Indeed, when a conference attendee asked about a victim of a widely-reported denial-of-service attack in early 2000, another conference participant mournfully disclosed that one of the best known names on the Internet did have insurance covering the event. He later requested that National Underwriter not report the names of the parties.

Mr. Norton, quoting statistics from the "2000 Computer Crime and Security Survey," highlighted the potential for more content-specific (liability) and network security-specific (property) claims.

The survey of 538 U.S. firms was conducted by the San Francisco-based Computer Security Institute, an association of information security professionals, with the participation of the San Francisco FBIs Computer Intrusion Squad.

Noting that 97 percent of businesses surveyed have a Web site, Mr. Norton said that one could argue that "if you have a Web site, you have liability" arising from potential infringement, defamation, and privacy issues. Adding that 47 percent of the businesses surveyed conduct e-commerce on their sites, he noted the potential for business interruption and cyberextortion claims, which not only cause financial damage, but can damage a companys reputation as well.

Focusing on a subset of companies that gave more details about financial losses (249 respondents), Mr. Norton noted that 12 percent said outages as a result of security breaches lasted one-to-five days. Reporting that 12 hours might be a "pretty reasonable" deductible to find in a business interruption policy, he said firms in that 12 percent group would "get a lot of benefit" under cyber-policies designed to cover first-party losses.

Mr. Norton also cited a lost revenue figure of $266 million for the 249 companies reporting detailed information in the CSI survey. But the figure is already out of date, according to a more recent CSI/FBI survey. In the 2001 survey, 186 companies reporting loss details for the last 12 months said their financial losses amounted to $378 million. The most serious losses were for theft of proprietary information (34 of the 186 reported $151 million), the survey found.

According to a press statement released in March, the 2001 CSI/FBI Survey also found:

Eighty-five percent of the total respondents (538 companies) detected computer security breaches, and 64 percent acknowledged financial losses.

Only thirty-six percent reported intrusions to law enforcement officials.

Ninety-four percent detected computer viruses and 38 percent fell victim to denial-of-service attacks.

"Once the Internet went live, we started to have issues, the issues have led to claims, and money has been paid. Its all happened that fast [and] the honeymoons way over," said Mr. Norton, suggesting that insurers have reacted to losses by tightening policy language.

For the most part, however, insurers at the conference described ways in which their products have grown, with various mix-and-match offerings of insurance, service warranty, trade credit and e-cargo solutions that can be tailored to meet changing needs of businesses.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, September 10, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Contact Webmaster