Hacker Insurance - The Corporate Safety NetNo doubt you’ve read about it, and may even have experienced it first hand. Financial loss arising from malicious or accidental incidents involving computer networks and telecommunication systems is on the rise. As organisations’ reliance on the smooth running of their computer networks increases, so do a number of largely un-anticipated risks which can affect this smooth running – ultimately impacting the bottom line. Examples of such risk include computer crime (including hacking), human error, accidental damage/data destruction and even outsourcing. Many of these risks are difficult to manage and therefore many businesses are transferring the risks to insurers in order to reduce their impact. CostlyMany will appreciate from bitter experience that when viruses hit, the fallout can be massive with impacts including lost sales, lost hours (including unbudgeted paid time off for employees), lost data and, not to mention, lost confidence. Similar impacts apply for hacking attacks, with the skilled attackers often more than a match for standard computer security mechanisms including firewalls and anti-virus software. Whilst incredibly difficult to quantify, the annual cost to business is often quoted in the billions. Despite this, security-related losses are not solely down to computer hacking incidents. Far from it, in fact. In 2003, a U.S. study released by the Computing Technology Industry Association revealed that human error, not technology, is the most significant cause of IT security breaches. The survey suggested that more training and certification of IT workers would help the U.S. protect itself against ‘cyberthreats’. In more than 63% of security breaches identified by the survey's respondents, human error was the major cause. Respondents cited only 8% of security breaches as purely technical failures. Further considerations arise as the practice of outsourcing becomes increasingly commonplace. This presents an added challenge to the security of IT systems, as organisations deal not only with their own employees but with those of a third party, often in a foreign country. Whilst IT security products and software are part of the solution, it is widely accepted that technology alone cannot guarantee network security, particularly in an environment where the work has been outsourced but the risk remains. This is one reason why companies are increasingly requiring companies taking the outsourced work to become ISO 27001 (the Information Security Standard that recently subsumed BS 7799) certified. A recent global network risk survey conducted by the Economist Intelligence Unit polled senior risk managers and business leaders throughout Europe. More than half of the companies polled revealed that they have suffered significant financial damage as a result of IT system failure in the last 12 months. The research also showed that nearly 40% of those surveyed had experienced losses as a result of damage or misuse of systems or data by staff or contractors and that nearly 25% had suffered as a result of computer crime, including hacking and phishing. Risk TransferIt’s important to check the fine print of general company insurance policies, as many of the events mentioned above specifically exclude claimants from recovering loss. However, it is refreshing to note that some dedicated computer security-related insurance products are emerging. For example, high profile insurer ACE has introduced the Dataguard and Computerguard insurance offerings. Dataguard has been specifically designed for companies who have a dependency on their computer network. The cover ‘bridges the gaps in cover with traditional policies and provides protection to take away the resulting first party financial loss, loss of network revenue, data reconstruction and company image re-establishment costs’. Computerguard covers financial losses resulting from physical damage to, and breakdown of, computers. Cover includes the cost of replacing damaged computer hardware, the reinstatement of lost programmes or data and the increased working costs as a result. These types of insurance cover offer peace of mind for businesses that require protection against financial loss arising from malicious or accidental incidents to computer networks and telecommunications systems. In my view, they should be seriously considered in terms of risk management strategy. Alan Phillips MBCS |