Losses in cyberspace

Rough Notes, Oct 2003 by Zinkewicz, Phil

PLUS panel addresses Internet liability

On Thursday, August 14, at 4:11 p.m. (EST), almost the entire east coast of the United States and further up north was thrown into darkness. Cities including New York, Detroit, Cleveland, parts of New Jersey, and areas as far north as Toronto and Ottawa had no electricity-some areas for as long as 24 hours-although many areas returned to normalcy in as little as 12 hours.

There was some initial speculation that this was a terrorist action, but it was soon reported by government officials that this was not the case. Nevertheless, businesses were shut down-especially supermarkets and restaurants where spoilage of perishable goods became a major issue-means of transportation were severely limited, people were stranded at airports and train stations, and some were forced to sleep in the parks and on city stoops on a hot and sultry summer night.

By Friday, the lights came back on in most areas throughout the East Coast, but the subways in New York were still not running and cable networks were still not in operation. In addition, the Internet was still not up and operational.

It is still too early to determine to just what extent the business community was affected by the loss of Internet services during the most severe blackout in U.S. history. Just a week earlier, the media had reported that a new "worm" was threatening Internet communication and, while there was no major disruption, the threat in and of itself was enough to cause concern to those whose businesses have become almost totally dependent on the Internet.

That concern is understandable. A recent survey of more than 500 large U.S. corporations and government agencies conducted by the FBI and the Computer Security Institute, found that:

* 90% of respondents had detected computer security breaches within the past 12 months.

* 80% acknowledged financial losses due to computer breaches.

* 74% of respondents cited their Internet connection as a frequent point of attack.

* 33% reported that their LAN networks as a frequent point of attack.

* 34% reported network intrusions to law enforcement officials.

* 40% reported detections of external hackers and denial of service attacks.

* 78% detected employee abuse of Internet access privileges.

* 85% detected computer viruses.

The survey showed a breakdown of dollar amount of e-business losses by type:

* Unauthorized insider access resulted in roughly $4.5 million

* Financial fraud, about $115.7 million

* Telecom fraud, $6 million

* Theft of property information, $170.8 million

* Virus, almost $50 million

* Denial of service, $18.3 million

* Sabotage, $15 million

* Systems penetrations, $13 million

* Telecom eavesdropping, $345,000.

At next month's annual PLUS conference, Bradley Gow, vice president, ACE USA, will moderate a panel titled "Cyber Hurricane: The Potential for Aggregated Internet Losses and the Insurance Industry." Panelists will include: Robert Hammesfahr, partner, Cozen O'Connor; Harrison Oellrich, managing director, Guy Carpenter & Co.; Richard Reed, vice president and product lines manager, Chubb Commercial Insurance; and a senior administration official from the U.S. Department of Homeland Security, who will discuss the vulnerabilities of the U.S. Cyberspace systems and what is being done at the federal levels.

"As the economy's dependence increases upon the Internet for the delivery of services and goods to the public, its vulnerability to massive interruptions also increases," says Gow. "Whether caused by terrorist attack, natural disaster, virus and similar malicious tampering, or hardware/software failures, an interruption of Internet services or loss of commercial data can pose a threat of lawsuits against professions inside and outside the high-tech industry, including accountants, lawyers, financial advisers and others," he says.

"For the 300-plus years that the insurance industry has been in existence, catastrophic events, no matter how severe, have had a finite effect," continues Gow. "Hurricanes, tornadoes, earthquakes and other types of catastrophes have been measurable and have had limits. Even class action lawsuits are limited to the company or companies involved. But the Internet presents another scenario. An Internet outage, for any reason, can affect servers worldwide. Even a shutdown that lasts only eight or 10 minutes can have a devastating effect. The 'Slammer Worm' has made Internet history as the fastest spreading computer bug to date, crippling banks and airlines worldwide. It took 10 minutes to infect 160,000 computers."

Gow says that the new exposures that have come about because of the Internet have been recognized only relatively recently. "As recently as five years ago, there was no such thing as network risk insurance. Now, this market represents about $60 million to $100 million and it is growing rapidly."

Insurers and reinsurers must find ways to address this catastrophic potential, according to Gow.

The ACE executive said that the PLUS panel will address this issue as well as claims handling problems with Internet exposures. In addition, the question of business interruption exposures will be explored. Traditionally, business interruption policies are triggered only when there is a loss to tangible properties. And today, most insurers have exclusions to business interruption due to loss of data. However, according to Gow, some companies are now offering stand-alone coverage, with the expense dependent upon the type of Internet organization.