A router maker starts receiving complaints from customers — around the world — that the ports on a particular networking device are not working properly. IT professionals, scrambling to cope, attempt to close the faulty ports with technology equivalent to electrical tape.
They are able to redirect the data flow to other parts of the device, but the damage has already been done, and there is a global network outage. A potential international data disaster caused by a faulty microchip in one router model? Perhaps.
Who is responsible for the resulting loss of business to companies worldwide that have been affected by the data blackout? More than likely, in this new era of digital insurance, the liability will be covered under a new technology errors and omissions policy — a new form of insurance — by the router manufacturer.
A New Frontier
“This is a whole new frontier of insurance,” Jon Pendleton, a partner with Pillsbury and Levinson, a San Francisco-based technology law firm, said in an interview with TechNewsWorld. “When it began a few years ago, it was adopted by a small percentage of companies. But now, Microsoft is requiring contractors who do portions of their coding to have this kind of coverage. The coverage has evolved.”
Insurance companies, such as AIG and Lloyd’s of London, launched e-business risk-insurance products back around 1999, reckoning, like many, that the dot-com boom would last perpetually and that Internet companies would be their primary customers.
When the so-called tech bubble burst — followed by the tragic events in New York and Washington, D.C., of September 11, 2001 — interest in cyber insurance was expected to wane, Robert Parisi, senior vice president and chief underwriting officer for electronic business at New York-based AIG, said in an interview.
Insurance carriers were surprised to find that some customers wanted their coverage. “These are companies that used to be referred to as old-economy firms — retailers, healthcare companies, pulp and paper mills, airlines,” said Parisi. “They’re not at the bleeding edge of technology. But they are intensive users of technology.”
All Kinds of Risks
Employment under Parisi has bloomed from a handful of workers four years ago to about 24 today, located in offices in major metro areas in the United States and in London and Tokyo, he said.
“Companies are dealing with all kinds of risks to their information,” said Parisi. Terrorists could strike, knocking out a data center. A natural disaster could occur. Or hackers could attack a site — bringing down its ability to process credit cards.
“If you can’t process credit card transactions, you will lose money fast,” said Parisi. “You can easily imagine what would happen to eBay or Amazon if they couldn’t process credit cards. But compare that to what would happen to Wal-Mart if they couldn’t do that. They’re so much bigger.”
Specialty insurance has had to be developed for computer and cyber risks because information is an intangible asset, which generally cannot be replaced easily.
“Everything online can be covered,” said Parisi. “Everything from coverage of content that annoys someone, is slanderous or infringes upon copyrights, [to] full-blown hacker attacks.”
Cost of Coverage
Insurance companies are figuring out the frequency of these kinds of attacks and the amount of expected damage, he said.
Buying a big-ticket product online via an auction can be a risk, for example. But companies can buy bonds that are financially backed by The Hartford Financial Services Group and the Rutherfoord Companies, which will refund the price of the sale if the bonded seller does not fulfill the terms of the deal.
For 1 percent of an auction’s sale price, customers can purchase up to US$10,000 in insurance, covering them if the seller has engaged in fraud or misrepresentation.
Courts have grappled with the issue, resulting in major cases, such as St. Paul Insurance v. AOL, and Ward General Insurance v. Employers’ Fire.
What is the consensus of the courts? “Data is not tangible property,” said Parisi. “Tangible property triggers coverage in most insurance policies.”
“If there’s no physical damage, no property damage and no bodily injury,” said technology attorney Pendleton, “it’s a whole new area to deal with.”
Impact on Legal World
The impact of this on the legal world — not to mention the insurance industry and IT — is profound.
“This is akin to the changes faced when moving from an agrarian economy to an industrial economy,” Rob Hammesfahr, an attorney and author of a leading book in the field, @Risk: Internet and E-Commerce Insurance and Reinsurance Issues, told TechNewsWorld. “Companies increasingly realize that their principal assets are Internet-oriented or digital assets, and they have to insure them.”
Hammesfahr, who is a partner with the law firm of Cozen O’Connor, located in the Chicago office, added: “Risk managers are putting network viruses ahead of natural perils. I’m not completely surprised about that. It’s a top concern.”
The attorney related the story of a large retail store that was recently hacked by a so-called security consultant who offered to fix the problem with the store’s network for a mere $2.6 million. “The hacker found the problem and asked for money to repair the problem,” said Hammesfahr. “That case is going to trial. I think it’s extortion.”
The market for Internet insurance to guard against network penetration is still relatively fragmented. Only a few major companies, like Lloyd’s and AIG, are engaged in the business.
Regulations — like the Sarbanes-Oxley Act, which covers financial institutions and record-keeping — are expected to increase the number of purchased policies. So will the Health Insurance Portability and Accountability Act (HIPAA), said Pirisi.
“One of the trends I see is that, in the coming years, all major companies will have this kind of insurance,” said Pendleton.
Back to the Future
But one of the ironies is that when insurance companies were looking for a model for how to insure against cyber-risks, they went back to lessons learned at the height of the industrial revolution.
“We took a page from the old-fashioned insurance coverage: boiler and machinery coverage,” said Parisi. “In the old days, that involved an inspection and risk transfer policy. Someone inspects the boiler [and] tells you if it is good or bad. If something bad happens, you are covered.”
Parisi said that to insure somebody, you go in and examine a network and provide a security assessment. Alternatively, you can send out security auditors. “That’s part of the underwriting process — and it is on our nickel,” he said. “It is focused on the company’s data-security policies, so they understand where they are with their security posture — how vulnerable are they? That’s how this works.”