Hackers and Other Hazards.

• Author: FREEMAN, EMILY Q.
• Position: Brief Article

New risks demand new risk-management techniques.

Risk management has always concerned itself with critical enterprise infrastructures -- processes and assets essential to basic business operations. In the past, such critical enterprise infrastructure represented physical plant, equipmer and inventory. But in a technology-based environment, an enterprise's core operations depend on electronic information and computer networks. Everything a business knows and has besides its creative people resides on its databases and systems.

Although an intangible asset, electronic information, notably knowledge databases and intellectual property, is a key driver of revenue and worth. Key processes and connections to customers and partners will be web-based -- whether they involve value chain integration, procurement, bill presentment, fulfillment, benefits management or legal services. What particularly troubles those entrusted with risk management is the lack of definition and quantification of these risks -- in particular because there's little historic data available for calibrating them.

Thus, information technology risk management now should involve the identification, assessment, control, mitigation and financing of probable risks commensurate with the enterprise's brand, reputation, assets and operations.

Consider the risk of electronic data destruction, corruption or disclosure by internal or external computer attackers. This cyber peril is critical -- especially to the financial services and health care industries. Remember the youth of the technologies and uncertain direction of Internet-related litigation and regulations. And businesses are reluctant to reveal information about cyber crime or cyber attacks, as the public relations and investor fallout could damage brand and reputation.

Then, too, businesses are less likely to notify law enforcement about known cyber crime and its perpetrators. And it's difficult to catch and convict such attackers, as it's relatively easy to hide under false addresses, electronically mask the route of the attack and escape from limited federal resources. However, conviction under the Computer Fraud and Abuse Act can entail prison sentences of up to five years per incident (10 years for second-time offenders) and a $250,000 fine.

Still, prosecutions and convictions won't approach the soaring number of computer attacks, which more than doubled to 8,268 incidents last year, according to reports filed with the Computer Emergency Response Team at Carnegie Mellon University. And these incidents -- reported voluntarily -- are the tip of the iceberg.

An important first risk-management step is to identify and understand cyber perils (see pages 32 and 48). Although they're labeled as direct risks and liability risks, one security breach may result in both a direct loss and a liability loss.

Some of these perils existed pre-Internet, but their likelihood and magnitude have changed. If we focus on the three critical concerns of risk management -- the frequency of claims, severity of loss and cost of resolution -- we can identify at least five ways Internet technologies affect the management of liability risks and exposures:

Rise in the number of claims. New portals and falling PC prices have increased Internet access globally. Studies say the number of Internet users doubles every 100 days.

Upsurge in the severity of claims. The growing dependence of global business on Internet applications...