Tuesday, Feb. 07, 2006
Shock Absorbers
By Maryanne Murray Buechner
When 21-year-old Web entrepreneur Alex Tew received a $50,000 ransom demand last month, he remembers thinking, "There's no way on earth I'm paying these guys." Hackers had kidnapped Tew's Million Dollar Homepage, an advertising website, crippling it with a flood of data. Thousands of dollars, six days and two security teams later, the site was back up. "I can understand why gambling sites that accept thousands of dollars a day could choose to pay and be done with it," Tew says, "but I made a point of standing firm."
As cyberextortion schemes become increasingly common, their targets have another choice: cyberinsurance. Demand for this emerging category of insurance, which will even cover a ransom payment, has jumped as more companies--and not just tech firms--depend on digital networks to do business. Written premiums topped $200 million in 2005, up from $100 million in 2003, according to Aon Financial Services Group managing director Kevin Kalinich, as corporations realize they have to guard against liability in addition to the hackers themselves.
The rise of the hacker as extortionist reflects a broader change in hacker culture. "It used to be teenagers looking for bragging rights," says Johannes Ullrich, chief research officer for the SANS Institute, a security think tank. "Now it's done for profit." And it's done from anywhere in the world, so catching the bad guys can be complicated. Ullrich estimates that there are 10 or 20 cases a day, compared with virtually none three years ago. More sophisticated viruses, spyware and other forms of malicious code, meanwhile, are the new weapons of choice for committing identity theft, bank fraud, even industrial espionage. Computer crime costs U.S. businesses an estimated $67.2 billion a year, according to the FBI.
There are two sides to cyberinsurance: first-party coverage helps companies recover losses owing to, say, a network outage. Many first-party policies also include payments to hackers holding your website or customer data hostage, says ACE USA underwriter Brad Gow. Third-party liability covers legal expenses if security fails and someone sues. Annual premium payments range from $7,500 for a medium-size ($25 million in sales) company to hundreds of thousands of dollars for a multinational corporation, according to AIG. To qualify for coverage, companies must adhere to internationally accepted security standards. "You never know what you're going to come up against," says Moira Mooney, senior risk manager for InterActiveCorp, which owns several online businesses. "Having the insurance is a backstop."
What has really kicked things off for the cyberinsurance market is new legislation, in effect in some 20 states, that requires companies to notify customers when their personal data may have been compromised. There were 134 such breaches last year, potentially affecting more than 57 million people, according to the Identity Theft Resource Center. "Companies used to bury this stuff," says Chris Hoofnagle, senior counsel for the Electronic Privacy Information Center. Now that they must go public, buying insurance can reduce liability risk.
Insured or not, the top priority is still prevention. Procter & Gamble, for one, eschews cyberinsurance. "What would be scary for us is if we lost critical data--about R&D, our supply chains, even a marketing plan--to our competitors," says chief information officer Filippo Passerini. "There's no insurance that could cover all the damage."