From Risk to Reward: E-business is transforming risk. Insurer AIG is transforming the way organizations manage that risk - CaseStudy - American International Group Inc - Brief Article

Chief Executive, The, Nov, 2001 by Eric Schoeniger

The dot-com bubble may have burst, but e-business continues to transform companies in profound ways. As the Internet opens corporate networks to an expanding universe of employees, partners and customers, it exposes organizations to entirely new risks. From protecting against cyber-attacks to safeguarding customer privacy, companies must fundamentally rethink the way they manage risk and protect their most vital assets.

For insurance companies such as the member companies of American International Group, Inc. (AIG), that means transforming products and services to help protect customers as they adapt to the Internet economy. That's why the New York firm created AIG eBusiness Risk Solutions in January 2000, and introduced insurance products that address risks associated with e-business.

"We recognized that the Internet would have a dramatic impact on the lives of our customers and the risks they faced," says Gretchen Hayes, president of AIG eBusiness Risk Solutions. "We needed to respond?."

The changing risks reflect the changing way companies use information technology. Not that long ago, computers were kept behind locked doors, and computer networks were accessed only by select groups of employees. Managing those networks was all about keeping people out.

But as companies have recognized the promise of e-business, they have also opened up the network -- through e-mail, Web sites and a growing range of e-commerce activities. In doing so, they have exposed themselves to a passel of security threats, from this summer's Code Red worm to the denial-of-service attacks that brought down Amazon.com, eBay and other sites last year.

"Risk has changed forever as a result of the Internet," says Ty R. Sagalow, chief operating officer of AIG eBusiness Risk Solutions. "Even if you don't conduct business on your Web site, if your employees use e-mail, you have opened your systems to the world."

Companies have responded to this new, risky frontier by investing ever-greater resources in protective measures such as antivirus software, firewalls and intrusion-detection systems. But experts agree that even the most Herculean security efforts won't provide 100 percent protection. So increasingly, companies are looking to insurance policies as a way to augment their security defenses.

E-business insurance policies are fundamentally different from their brick-and-mortar counterparts. Whereas risk management has traditionally covered physical assets, in the Internet economy it involves the bits that reside in databases and traverse the network, as well as intangibles such as corporate reputation.

A good policy, experts say, covers issues such as viruses, security breaches, data damage, and the expenses and losses associated with e-business interruption. It also addresses growing threats such as cyber-extortion and the loss of intangible property such as trade secrets, as well as legal liabilities that cause financial damage to others resulting from inadequate network security, professional errors or omissions, and "Web content injury" -- things like copyright infringements and privacy violations.

The new division was necessary, says Hayes, because "we recognized that these risks were fundamentally different, and they wouldn't fit easily into our current product groups. The analysis of these risks requires specific expertise." Perhaps more important, e-business insurance would require tight integration with technology.

"It was the right thing to do from the customer's perspective," Sagalow says. "If a hacker destroys your data, you don't want your claim to be looked at by a guy who spends his day handling fire-destruction claims."

Working with consumers and corporations involved in both B2C and B2B activities, the new division has introduced several products and services, among them the AIG netAdvantage Suite, which provides coverage options ranging from Web content-related exposures to professional liability, from e-business interruption to hacker attacks. It also maintains a cyber-criminal reward fund and public relations insurance. The reward fund pays $50,000 for information leading to the arrest and conviction of someone who has hacked into the insured's systems. The public relations insurance provides $50,000 in reimbursement to help policyowners explain to their stakeholders why there was a security breach and how the situation is being addressed.

Before they can be accepted, applicants must undergo a security-risk assessment. AIG worked with one of its technology alliances, Unisys Corp., to develop a Web-based risk-assessment tool, available at www.aignetadvantage.com. By answering questions online, companies receive a free report that reveals potential security weaknesses. For applicants interested in $5 million or more in coverage, a two-day onsite assessment can delineate security weaknesses and suggested solutions. Regardless of whether the applicant elects to purchase the insurance, the assessment analysis and report are free.

Response to AIG net Advantage and AIG's other e-business insurance offerings has been tremendous, Hayes reports. With more than 1,200 clients, AIG is recognized as the largest provider of e-business risk insurance worldwide.