The unlikely heroes of cyber security: viruses, privacy breaches, and other malicious cyber activity regularly threaten organizations' vital information. Cyber insurance providers hope to control the damage risk.

• Author: Groves, Shanna

A customer's confidential account information is broadcast over the Internet without his bank's knowledge. An unknown computer hacker, whose future plans may shut down the bank's e-business network for days or even weeks, causes the breach.

This scenario, while fictitious, sounds all too familiar given today's headlines. Malicious cyber activities, including hacking, viruses, and denial-of-service attacks leave destructive, and often costly, scars on vital e-business operations.

According to the Computer Security Institute's 2002 Computer Crime and Security Survey, 90 percent of respondents--503 computer security practitioners primarily in large U.S. corporations and government agencies--had detected computer security breaches within the previous year, and 80 percent reported financial losses because of them. Nearly half the respondents reported combined financial losses of more than $455 million.

Some risk management analysts predicted that the insurance industry would neglect cyber insurance, also known as e-risk insurance, after dealing with enormous post-September 11 (9/11) insurance claims. However, as companies take a closer look at protecting their information assets from probable cyber attacks, demand for this form of insurance is growing.

"The insurance industry does play an important role in securing cyberspace," says John Sacia, CEO of Sacia Risk Solutions LLC, a Seattle-based e-business risk coverage provider. "Fortunately, there are a few companies ... that are committing risk capital to this class of business, which, given the state of the insurance industry and the substantial losses arising from 9/11, asbestosis, and corporate wrongdoing, is commendable."

Companies offering cyber risk coverage report that it is gaining new attention in retail, financial, medical, and communications companies because these industries want to protect their bottom line: the computer-networked information assets that make up their infrastructures.

"The insurance industry has done a good job of educating clients about the value of e-business insurance policies," says David O'Neill, vice president of e-business solutions for Zurich North America Financial Enterprises in Baltimore, Maryland. "People are also making a more educated decision about it. They're asking, 'What is the benefit? What's in it for me? What's it for? Maybe I ought to look into it.'"

Targeting common threats that affect organizations helps cyber insurance providers define where coverage is needed. According to Mark Greisiger, founder of NetDiligence, existing and emerging cyber hazards include virus/worm damage, hackers, cyber extortion, Internet liability, Web vandals, denial of service, Web site disability access discrimination (universal access), computer/server malfunctions, intellectual property infringement, rogue administrators, application service provider (ASP) service outages, Internet service provider (ISP) outages, malicious code transmission, Unix and Windows operating system flaws, privacy breaches, and human mistakes.

"In the five years since [cyber] insurance has emerged, there has been a more traditional [insurance-based] risk management appreciation and approach to protecting information and helping customers eliminate risks," Greisiger says. "Companies will be required to demonstrate vigilance, a 'security mentality,' and solid daily practices involving the use of some industry-recognized safeguard processes and technologies, all of which is verified with an e-risk assessment ... in order to qualify for this insurance."

A common misconception among businesses is that traditional insurance covers cyber liabilities. The insurance industry is starting to make it clear that basic brick-and-mortar insurance coverage plans are different than the plans covering information loss and business interruption resulting from cyber attacks.

"Frankly, this has taken some time, and the insurance industry needs to do a better job of articulating those uninsured exposures," Sacia says. "Ultimately, companies will determine that they cannot rely on traditional insurance policies to protect their business, and when this occurs, companies are inclined to consider their options, including better risk management and security and the purchase of cyber insurance."

Cyber Security Guidelines

Cyber insurance has gained considerable public attention with the publication of the U.S. Department of Homeland Security's (DHS) National Strategy to Secure Cyberspace. The 76-page document, released in February, enforces a national cyberspace security response system for improving the U.S. government's response to cyber incidents and outlines programs to prevent future cyber attacks and related damage within the public and private sectors.

"Because the National Strategy document explicitly mentions cyber insurance, I believe this will have a positive impact on the insurance market," says Rick Davis, principal advisor with DigitalRisk Advisors, a Boulder, Colorado-based risk...