VideoECharge Corp. believes it has a great value proposition: offer a secure way for online companies to accept payments with absolutely no chance personal information can be stolen or fraudulently used, and back it up with a guarantee. But no matter how good a service might be, guarantees entail some risk. "There's always the possibility that some little thing could fall through the cracks and cause a catastrophic event," concedes Mark Tremont, CFO and chief operating officer at the Seattle-based company.
So eCharge did what lots of other online companies are doing. It bought cyberinsurance. "If the security or privacy of our Web site or network were compromised, it would blemish our brand and cause irreparable harm," Tremont explains. "So our feeling was, let's not spend time thinking about this; let's protect our capital investors and buy an insurance policy."
Cyberinsurance is the hottest sector in the insurance industry, an entirely new line of products that barely existed two years ago. Back then, most insurers were loath to use their capital to absorb corporate cyberrisks, a little- understood panoply of potentially devastating financial exposures. Only one underwriting agency, Insuretrust.com LLC (then known as Network Risk Management Services), offered specific online risk transfer products in the spring of 1997. However, coverage was offered only to Web sites, and rates were high.
But as the Internet E- commerce revolution took shape, demand for cyberinsurance burgeoned. More insurers entered the market, driving down prices, broadening coverages, and increasing overall protection limits. The result, says Adam McDonough, senior vice president at Willis Insurance Services, in San Francisco, is that "we're in the midst of a warming trend. The user unfriendliness that characterized this product is fast disappearing. [Consequently], corporate purchasers should focus on covering their liabilities to others resulting from a security breach to their network--for instance, sensitive data falling into the wrong hands, contaminated or destroyed data resulting in financial loss to customers, a denial-of-service attack leading to delayed or lost orders, and so on. Limits to consider will vary widely, depending on the nature of operations, but $5 million to $20 million is a good start."
Cyberattacks
Demand for cyberinsurance has exploded in the wake of three major cybersecurity breaches in the past six months. The first involved the penetration of CD Universe by a hacker dubbed "Maxus," who stole some 300,000 customer credit card numbers. Maxus demanded a ransom payment of $100,000 to return the numbers, and made good on his threat to release them to the public when the online music retailer balked. He has yet to be apprehended.
The second breach was the notorious denial-of-service attacks in February against Yahoo, Ebay, Amazon.com, and other popular Web sites. The hackings shut down the sites for several hours, causing more than $1.2 billion in total losses, according to The Yankee Group. The Boston-based consulting firm tallied each company's lost revenues, lost market capitalization due to plunging stock prices, and the cost for systems security upgrades. One of the hackers, a Canadian teenager with the colorful handle "Mafiaboy," was later apprehended.
The third breach is really a series of breaches: the recent plague of E-mail viruses that infected systems and networks around the globe. They include the infamous Love Bug and the so-called résumé killer.
Each of the attacks showed the vulnerability not just of online businesses but of all businesses, deepening the awareness of E-commerce risk. And while most property/casualty policies failed to cover that risk, several major and more than a few minor insurers have moved to fill the void, including Lloyd's of London, Zurich Insurance Group, and Chubb Group of Insurance Cos.
"The new policies made their debut at the beginning of the year, a few weeks before the well- publicized security breaches," says McDonough. "The insurers' timing was perfect. All the publicity given the hackings has translated into tremendous interest."
The policies are roughly comparable, covering a variety of similar exposures. AIG's NetAdvantage Program, for example, addresses a host of E-commerce disruptions, including cyberextortion, content defamation, copyright and trademark infringement, denial-of-service attacks, viruses, theft of information, and destruction or alteration of data. The insurer also offers rewards for information leading to the apprehension of hackers and expense reimbursement for post-hacking crisis-management activities.
Cyberinsurance policy costs vary widely, however, depending on the size and type of company insured. That said, costs have come down, from $45,000 to $50,000 for a million dollars in coverage a year ago for a large company to about $15,000 to $25,000 today, McDonough says. "As more capacity enters the market in the form of new competitors, and loss experience continues to be positive," he says, "pricing will certainly fall to the point where coverage becomes affordable for smaller and midsize companies."
Barriers To Entry
Widespread adoption of cyberinsurance has been hampered by insurers' insistence (as a precondition to coverage) that policy applicants undergo a rigorous security assessment by a third-party technology security firm. The process takes time, and is invasive (the security firms perform on-site technology audits and so-called ethical hackings, in which they attempt to penetrate a client's system to see if, or more likely how, it could be done) and expensive, with the entire cost borne by the applicant. The cost of the security audit can run into the tens of thousands of dollars for start-up dot-coms with no security track records--and that's before tacking on an insurance premium.
Reader Comments» Post a comment