Suche innerhalb des Archivs / Search the Archive All words Any words

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[] Cyber-Versicherungen kommen,

Das Marktvolumen wird auf $2.5 Mrd. im Jahr 2005 geschaetzt.

Cyberinsurance may cover damage of computer woes

By Nancy Gohring
Seattle Times business reporter
July 29, 2002 

In February 2000, online hackers launched what's known as a "denial of
service" attack, shutting down eBay,, and other
major Web sites for as long as three hours. By some estimates, the
event cost the companies $1.2 billion.

Traditionally, such attacks haven't been covered by insurance. In
industry lingo, the companies were "self-insured," meaning they were
responsible for their own losses.

But as online attacks and viruses continue to wreak havoc - and at a
time when security is increasingly a top-of-mind concern - insurers,
technology companies and the federal government are working toward a
solution to protect companies from losses.

The idea that has emerged is being called cyberinsurance, and it
covers almost anything related to information technology, including
losses resulting from viruses, hacker or denial of service attacks,
extortion, and copyright and privacy infringement.

So far, some insurers are including coverage for basic problems in
their general liability offerings, but most are asking customers who
want significant coverage to pay for separate packages.

High-tech companies are the most likely to buy cyberinsurance in case
their services or products fail their customers. But the insurance
industry wants all companies with any sort of Internet connection to
take out cyberinsurance, and the federal government is particularly
hopeful that companies in industries traditionally considered
utilities will buy it.

In fact, the insurance industry predicts that cyberinsurance will be a
$2.5 billion market in 2005, according to the Insurance Information

In the meantime, insurers are experimenting with how to offer it,
while struggling to persuade companies to buy it. It's not clear at
this point how many companies have signed up for cyberinsurance.  
American International Group, a known name in the field, has issued
more than 2,000 policies, but if you ask companies about
cyberinsurance, many will say they've never heard of it.

Those companies may be some of the same that have experienced losses
resulting from security failures. The Computer Security Institute and
the FBI's Computer Intrusion Squad in San Francisco found 90 percent
of companies surveyed recently had detected security breaches in the
past year, though only half of them were able and willing to quantify
their losses - about $455 million in the past year.

Third-party coverage

As a practice, few companies buy insurance to cover losses they may
incur when internal systems fail. Instead, they more commonly buy
third-party cyberinsurance, which protects against damage to customers
or someone other than the company.

"People buy insurance for things outside of their control that are
catastrophic in nature, like being sued," said Ned Sander, managing
director for the Seattle office of AH&T Technology Brokers, an
insurance broker serving small and medium-size technology businesses
in Seattle.

An example is Amaze Entertainment, an AH&T customer and Seattle
company that develops electronic games for publishers such as
Electronic Arts. When it comes to insurance, Amaze negotiates with its
publisher-customers whether to insure its products.

"We'll say that we'll buy it if you want it, but you'll pay more for
the project," said Mike Dean, director of finance with Amaze. Such
insurance would cover losses to Amaze's customers in case, for
example, the customer sells Amaze software to end users and the
software is faulty. If Amaze's customer had to recall the product and
offer refunds, insurance would cover the losses.

But when companies look at first-party insurance, which would pay for
loss to the company itself, they tend to pass. "A lot of times these
IT guys say if I buy a policy it admits I'm not doing my job well
enough," Sander said.

Amaze hasn't invested in first-party cyberinsurance. "We're not
worried about our systems crashing," said Dean.

Complicated applications

Companies also shy from first-party insurance because it can be
complicated to buy. Insurance companies usually require an in-depth
evaluation of the potential customer's systems - sometimes at a cost
to the customer - as well as a lengthy, complicated set of forms.

Some companies decide against first-party insurance, Sander said, once
they learn about that process.

Companies may also be turning down first-party insurance because of
the hush-hush nature that often clouds specific attacks. It's widely
believed that companies with security breaches tend not to report it
to law enforcement or insurers.

"When a company has their systems hacked into and they suffer losses,
they don't like to advertise it," said Bob Bregman, senior research
analyst with the International Risk Management Institute. "Because if
someone hacks into your system it's not the same as saying your plant
was destroyed by fire. There are different implications."

Companies that do consider cyberinsurance have a lot of research to
do. Insurers have a wide variety of packages to offer, as they try to
get their hands around the risk involved, with little historical
information to help determine values.

"Traditional (insurance) products have decades of loss information
where we can generate a premium that is razor thin because you have
this ability to understand the losses of the past," said Ty Sagalow,
chief operating officer of AIG's eBusiness Risk Solutions group.

Not so with cyberinsurance. Because risk from electronic failures has
so little history, some insurance companies, like AIG, offer it as a
separate policy. Other insurers, however, include certain basic forms
of cyberinsurance in general liability packages.

Nonetheless, Sagalow thinks that ultimately all insurers will offer
cyberinsurance separately because it's a unique risk that should be
handled by the insurance company's specialists.

Not everyone agrees. "Over time the coverage will be included in the
package," AH&T's Sander said. He points to The St. Paul Companies and
The Chubb Group, both of which offer general liability policies that
cover loss and recovery of data that may occur because of a physical
event, such as an electrical power surge or a fire.

In April, St. Paul instituted a $10,000 limit on business interruption
and data loss resulting from hacker attacks or viruses into its
general liability plan, Sander said. Companies that want more will
have to pay extra for it.

The price varies depending on the size of the company, as well as the
types and amount of coverage. Fortune 500 companies could spend
hundreds of thousands a year for robust coverage with high limits,
Sagalow said.

AIG will cover as much as $25 million or even more if a company wants
it. Small companies, on the other hand, could take out a policy that's
as low-priced as $999.

Government encouragement

Even though the insurance industry is clearly hammering out the
wrinkles of this new type of insurance, a push by the federal
government may lead more companies to buy it.

Dick Clarke, the adviser to President Bush for cybersecurity and
chairman of the President's Critical Infrastructure Protection Board,
thinks the widespread use of cyberinsurance will raise the bar on

"They'll say things like, 'We'll give you cyberinsurance if you buy
the following products and do the following things,' " he said.

Clarke is particularly interested in promoting cyberinsurance for
companies involved in railroads, aviation, banking, power,
telecommunications, oil and gas.

"If you look at our critical infrastructure, 90 percent of it or more
is owned by the private sector," said Clarke. The government can
protect the physical assets of those companies with troops and tanks,
but "when the attack comes over cybernetworks, it's very hard for the
government to defend them," he said.

Nancy Gohring: 206-464-2140 or ngohring -!
- seattletimes -
 com -

Liste verlassen: 
Mail an infowar -
 de-request -!
- infopeace -
 de mit "unsubscribe" im Text.