At the World Economic Forum meeting in Davos, Switzerland, earlier this year, hackers with a political axe to grind broke into a forum database. They obtained confidential information on the 27,000 well-heeled participants, including Microsoft chairman Bill Gates and former U.S. Secretary of State Madeline Albright, according to press reports. They also unearthed credit card numbers, and perhaps passport numbers, for 1,400 people. “There were computers all over the conference center,” said one participant who asked not to be identified. “You could swipe your name badge, get online, communicate with others at the conference and sign up for sessions. Some of the sessions were over lunch and dinner, and required credit cards.” The participant said the hackers did not use his credit card to buy anything since the culprits were more interested in drawing attention to their anti-globalization cause than in racking up bills. Still, he cancelled his card and requested a replacement. “It was more precautionary than anything else.” It was the kind of incident that many people see as harmless, maybe even funny, especially given the prominence of many of the victims. Who wouldn’t like to imagine a celebrity executive or politician trying to explain to a credit card company representative on the phone how he didn’t really go on a shopping spree and buy 50 Rolex watches. But Emily Freeman, senior vice president of Marsh Inc., a leading global risk manager and insurance broker with headquarters in New York, takes an altogether different view. “When people think of hacking they think of 12-year-olds with multiple body piercing creating the Anna Kournikova virus, doing it for fun to make a name for themselves. But there are others who are organized and trying to commit major fraud, trying to steal for espionage purposes and stealing credit card numbers. It’s not just a nuisance.” Freeman’s company and others are busy trying to alert organizations nationwide about the potential havoc that cyber outlaws can wreak and urging potential customers to consider a product still in its infancy – insurance to cover an array of computer security risks. Freeman says the number of hacking incidents is impossible to pin down with any degree of accuracy because many organizations, fearing bad publicity, simply do not report incidents to law enforcement authorities or anyone else. But there is some data that offer a glimpse of the scope of the problem. A survey of 643 computer security practitioners by the Computer Security Institute, a San Francisco-based association of information security professionals, paints a picture that one of its officials has called “disturbing.” The survey, released in March 2000, found that 90% of respondents, mostly large corporations and government agencies, had detected “computer security breaches” of all sorts, not just hacker attacks, during the previous 12 months. Some involved run-of-the-mill incidents like viruses, Internet abuse by employees and laptop thefts. But 70% reported financial fraud, system penetration, theft of proprietary information and denial-of-service attacks (when an e-commerce provider or other web site is knocked offline and is unable to do business). Of the organizations surveyed, 74% admitted financial losses, but only 42% were willing to or able to quantify those losses, which totaled $265.6 million.
“We used to be concerned, as consumers, about sending credit card numbers over the Net, but that’s pretty much secure,” Hunter says. “It’s difficult and not particularly feasible for a cracker to put a ‘sniffer’ between you and Amazon.com to copy credit card details. It’s easier to break into e-commerce sites that hold thousands of names and either just rip off the information or blackmail the company into providing money” in exchange for the data.
A successful theft of information from a credit card company like Visa or MasterCard is highly unlikely because security is sophisticated, Hunter says. Likelier targets include smaller e-commerce sites that are poorly protected. Hunter says other types of cyber crimes, such as denial-of-service attacks and industrial sabotage resulting in theft of corporate secrets, are serious, but pale in comparison to the potential extent of damage posed by credit card theft.
Gerry McCartney, associate dean and chief information officer at Wharton, says the school’s computer system is an unlikely target for crackers because the information contained there is largely of little value to criminals. “Our data usually isn’t life or death data,” he says. “It’s not military data or health systems data.”
The issue of computer security is a complex one for a university, McCartney says. For one thing, universities by nature are open environments where sharing information is central to their mission. In addition, there is the question of balancing cost with the value of the information at risk. “There’s a trade-off between [a potential security problem] and how much you want to spend to address the problem,” he says. “We just can’t buy as much as we think we might need.”
McCartney says a “non-trivial number” of cyber attacks come from inside the Wharton community, such as the student who sends out a fake e-mail announcing a cancellation of exams. “We get attacks from outside, but they tend to be attacks that affect everyone, like the Melissa virus,” whose target was Microsoft Exchange software. In response to that virus, McCartney says, Wharton disconnected itself from the Internet for 20 minutes, installed an anti-viral patch and set about “disinfecting” the system.
As an insurance broker, Marsh does not write policies. Instead, it creates products and looks for insurers to underwrite them. Two years ago, Marsh developed a product called NetSecure, the first version of which was designed for IBM. NetSecure is underwritten by the Zurich Insurance Group and Lloyd’s of London, Freeman says.
Marsh is involved in coverage in other ways, too. The company has created special language for policies offered by other companies, principally AIG and Chubb, that provide variations on the type of coverage spelled out in NetSecure. “We offer clients choice,” says Freeman. “Not everyone wants a Cadillac. We have people who want to cover security risk in a robust way and others who want minimal coverage.” Clients range from Fortune 200 businesses to small companies.
In general, insurance can provide coverage for: external threats from viruses that disrupt and deface Web sites; unauthorized use of an organization’s computer system; theft of an organization’s own data by insiders or outsiders; extortion; denial-of-service attacks; crisis management; and liability against lawsuits.
Freeman says most of the policies that Marsh has been involved with have been bought by bricks-and-mortar organizations that wish to establish sites for various business-to-business activities. The second largest group of customers consists of retailers who have become web-enabled. The third biggest group is health care providers, which are subject to regulations concerning the management of patient information. The fourth consists of entertainment and media companies, ranging from motion picture studios to online newspapers. The three chief concerns of insurance customers, Freeman says, are information theft and credit card fraud, viruses and denial-of-service attacks.
Freeman says computer security insurance remains a tiny, but growing, piece of the total insurance business.
One person who is skeptical of the need for cyber insurance and its potential for growth is Greg Meyers, practice director and lead strategist at Qwest Interactive, the professional services division of Qwest Communications International, and an adjunct professor of marketing at Wharton.
Underwriting such coverage requires a “tremendous amount of due diligence as well as large sums of money to hire consultants to inspect a computer system for flaws before writing policies,” says Meyers, former associate director of the Thought Leadership Group for PricewaterhouseCoopers’ global e-business initiative. Also hard to figure out, he says, is the value of data that may be stolen and how much money an e-commerce site may lose if a hacker forces it to go down for several hours.
“It hasn’t taken off,” Meyers says of cyber insurance. “We’ve not been able to find a good way to assess data loss. Amazon can say, ‘we’ll lose so much money per hour’ if they go down [as a result of a denial-of-service attack]. But what’s the cost of losing potential customer data? What’s Amazon’s database worth?
“The risks are unknown,” he adds. “Hackers are getting better every day but technology [to thwart hackers] is getting better every day. Who’s going to win the race? If the hackers win out, insurance companies are going to lose big” in the amount of claims they have to pay.
Marsh and other firms, however, believe insurance against cyber risks is a line of business worth pursuing. Says Freeman: “When a web site goes beyond brochure-ware and goes into transaction or integration activities with outside parties and becomes part of the enterprise function, that’s when we start to see the security risk issue get to the point where people are concerned about it.”
