London Market Meeting Digital Risk Challenges

How the London company market effectively meets this challenge is the raison d?tre of the International Underwriting Associations digital risk working party.

The group was set up in the summer of 2001 and is made up of professionals from across the industry. Its function is to advise IUA members and assist the London market generally in this emerging area of business.

Key questions have included an analysis of what elements of e-risks are insurable and whether underwriters are aware of what covers they are insuring.

The interconnectivity of todays global electronic systems means that network attacks can be very quickly spread across the Internet at an uncontrollable rate. Just a few weeks ago, the so-called Blaster Worm, also known as MSBlast, launched itself on the web infecting hundreds of thousands of machines in a matter of hours.

Internal threats can also prove extremely damaging in a very short space of time. These may come from entirely innocent employee errors as well as the malicious actions of disgruntled staff.

Yet a survey of leading IT directors and business executives by Ernst & Young, which is represented on the IUAs digital risk working party, found that only 40 percent of respondents were confident they would detect a systems attack. Further, less than half worked for organizations with information security training and awareness programs.

Ernst & Youngs Global Information Security Survey 2002 concluded that "there are some alarming gaps and some organizations could be judged irresponsible in their approach to information security, the management of which is now critical to business survival and competitive advantage."

Another worrying conclusion of the report was that many organizations seem ill-prepared to respond to any digital threat that does materialize, despite clear evidence that critical business systems are increasingly being interrupted (75 percent of respondents had experienced unexpected systems unavailability).

The survey found that 40 percent do not even investigate information security incidents as a matter of course, while only just over half had any business continuity plan in place.

In addition, even though many attacks are thought to originate from within an organization, only 41 percent indicated concern about internal threats.

Given such levels of uncertainty, it is understandable that underwriters have always been cautious when approaching this new area of digital risk. There is, of course, no historical data to rely on and the risk landscape is constantly changing as new vulnerabilities and technologies emerge.

Thus, estimating potential losses can be something of a lottery and capacity consequently has been relatively restricted. The hope of insurance buyers that digital risk would become a standard feature of commercial policies has not materialized. Instead, a relatively small, specialized sector has developed within the London market.

The work of the IUAs digital risk working party has been to tackle these problems from two directions. Firstly, its primary objective has been to demystify the issue of digital risk and help raise awareness of the issues the market faces.

Underwriters have been alerted to their potential exposures from digital risk, and a transfer of knowledge between IT managers and underwriters has been strongly encouraged. Only through such dialogue can the market gain the knowledge it requires to properly provide necessary covers.

A second area of focus has been to help improve the apparently inadequate levels of risk prevention revealed by Ernst & Youngs survey.

This has involved software, hardware and e-business infrastructure solution providers being offered discussion platforms via the IUA, enabling problems surrounding viruses, hacking and breaches of data protection to be more fully recognized.

An important part of the working partys program was the hosting of a digital risk seminar in May last year, which sought to provide an introduction to the issue by identifying what constitutes digital risks and how they might affect companies. It also began exploring the actions the London company market was taking in response.

Another digital risk seminar in London is planned by the IUA later this year, which will examine the key issue of corporate governance in the management of digital risk.

The management of digital risk has re-defined corporate governance requirements with heightened levels of vulnerability necessitating increased vigilance at several different levels within an organization.

It is now clear that information security cannot be regarded purely as a technical issue to be left to an IT department alone. In cases where such an attitude is adopted, it can lead to technology solutions that do not support business processes.

Most dangerous of all, according to Ernst & Youngs security survey, is the possibility that a board will feel confident an organization is adequately protected, when in reality investment has been undermined by a lack of awareness and training.

A successful digital risk management strategy requires full cooperation between technical and business managers.

Traditional risk managers with financial backgrounds are often divorced from the day-to-day operation of IT security programs. In short, digital risk management is a strategic board-level issue that requires solutions to be effectively implemented throughout a company.

Ernst & Young found that 60 percent of organizations expect to experience greater vulnerability as connectivity increases. Future growth in electronic commerce, combined with other related factors such as globalization, will ensure that digital risk is not allowed to drift off the London company markets radar.

Increasingly, insurance cover to protect against such risk is being sought by insurance buyers, as awareness and knowledge of potential threats grows.

If the market is to successfully manage and provide for this future demand, it will have to reassess traditional underwriting criteria in order to reflect the new and original nature of digital risk.

It is with this in mind that London company market members and other organizations are working with the IUAs digital risk working party. While expanding their own knowledge, such efforts will also go a long way toward helping achieve the groups primary objective of demystifying the issue across the industry as a whole.

Mr. Skinner is chairman of the International Underwriting Associations Digital Risk working party. He also is senior ICT underwriting specialist in London for Chubb Insurance Company of Europe.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, September 1, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.