Risk Management: DANGER OF THE CYBER DEEP

August 31, 2000 | Last updated on October 1, 2024
9 min read

In the past, corporate CEOs worried about being swallowed up in a mega-company takeover. Today, the stuff of CEO nightmares is a teenager sitting behind a computer, with the power to bring down the world’s computer systems with the push of a button. On the heels of Melissa, Y2K and the “I Love You” virus, the Internet has become something of a shark-infested ocean for companies. Ask the people at Amazon, e-Bay and Yahoo, computer experts themselves who saw their operations hit by delay-of-service (DOS) attacks earlier this year.

At this year’s Risk and Insurance Management Society (RIMS) conference in San Francisco, a survey by Lloyd’s of London revealed that 70% of risk managers view e-commerce as the biggest emerging risk area in the new century. The survey came the same week the “I Love You” virus infected computers worldwide, causing damage estimated at over $10 billion, most of which was uninsured. Shortly thereafter, another Lloyd’s survey revealed that 3 of 4 businesses in the UK were not covered against e-commerce risks associated with hacker and virus damage. “E-commerce can be something of a catch-22 for business. Success is increasingly dependent on it, yet the risks are significant — and evolving rapidly,” Lloyd’s North American director, Julian James said following the RIMS survey. “The so-called Love Bug virus shows just how vulnerable new technology can be when a new threat appears.”

And cyber-vandalism is not the only threat on the horizon. Risks associated with Internet activity run the gamut from business interruption due to computer downtime, intellectual property liability, advertising claims, privacy (particularly of customer information, such as credit card numbers), brand defamation and libel. Businesses can be affected through loss of business, loss of customer goodwill, market capitalization, legal action, and the cost of restoring computer systems and upgrading security measures.

Agreement is widespread that these risks are on the rise. Risk managers from all sides of the business world are wondering how these risks will affect them, and where they can go to find the information they will need to assess, control and insure against cyber-risks. “We’ve seen an exponential growth in that activity [Internet use] in society, in business,” says Nowell Seaman, manager of insurance services for the University of Saskatchewan. “It seems to have taken some time to recognize the risks associated.”

Echoing the results of the Lloyd’s survey, Seaman says risk managers in Canada as everywhere else are taking the move online seriously. The “I Love You” virus was just one more wake-up call. “People realized you can be exposed to these types of viruses”, and entire systems can be shut down by them. The point to which risk managers will find themselves embroiled in cyber-risks will depend greatly on how involved their company is involved on the Internet, and e-commerce in particular. But, “you don’t have to do business, in terms of sales, to have big exposures on the Internet”, points out Michael Maida, corporate risk manager for Agricore and president of RIMS’ Manitoba chapter. Risk managers are “not really” prepared for so-called e-risks, he says, because it is difficult to determine just how those risks could impact a specific business. “We need better communication between different business units”, such as between risk managers and their company’s information technology (IT) staff, “to identify what e-commerce risks really mean in terms of a company’s overall risks”.

The industry as a whole, including insurers, are “reacting” to the technology trend, says Seaman. “We’re a little behind the curve.” Risk managers are trying to catch up to the e-risk needs of the companies they serve. “It [cyber-risk] definitely needs to be addressed,” says Pascale Samson, manager of risk management and insurance for Bombardier Inc. and Quebec RIMS chapter president. “Most companies already have an exposure in that area.”

Y2K lessons

“One of the best things that ever happened to risk managers was Y2K,” says Rich Whitehouse, director of risk management and insurance for the government of Alberta and chair of this year’s Canadian RIMS conference. “It woke up senior people in various companies. We [risk managers] don’t have as much problem selling the idea that something must be done [about cyber-risks].” The Alberta government spent 18 months in Y2K preparations, identifying areas of vulnerability and investing money in its computer systems. “A lot of the press said what a waste of money [Y2K preparations were]. I don’t think so. We’re light years ahead of where we were before.”

Y2K made businesses, both large and small, take stock of their technological dependence, notes Seaman. “Y2K forced us to commit a lot of resources to this [IT security],” adds Mark Roberton, risk manager for Canadian Occidental Petroleum and president of RIMS’ Southern Alberta chapter. “It forced us to go through our systems and assess them. It’s probably something we should have done before.”

Counting the costs

There is still much that is unknown in the cyber-risk field, risk managers say. Finding out where a company is vulnerable and assessing just what the costs of that exposure are is the biggest task risk managers must prepare themselves for. “In the arena of technology, this is the biggest challenge we face; that is, creating an awareness and deeper understanding of the risks associated with technology and the tools available to address them,” says John Kerr, manager of accounting and administration for the Canadian Universities Reciprocal Insurance Exchange. Kerr is also chair of the RIMS Technology Advisory Counsel which has as one of its mandates to facilitate a better understanding of those risks. “Most risk managers are doing a great deal of stretching and growing these days, to get a deeper understanding of…where technology fits into the revenue streams and how it affects the measurement and protection of a firm’s assets.”

Before risk control or insurance can even be addressed, “we’re going to have to understand first what the risks are”, says Samson. Risk managers will have to rely on the expertise of IT departments and even brokers to get a handle on the nature of their company’s specific risks.

“Like a lot of things we deal with…you don’t have to be an expert,” says Roberton. The role of risk managers will be to get the information they need in order to advise corporate CEOs. “Risk managers need to become educated and be prepared to give advice.” Lloyd Hackett, Canadian director of legislative, risk management and public affairs for RIMS, says risk managers may not be prepared to tackle cyber-risks, but he is confident they will acquire the knowledge they need. “They won’t convert themselves into cyber-experts, but they’ll have to be knowledgeable. They’ll have to know when to call the ‘techies’ in.”

Following Internet exposures is always going to be a learning process, notes Whitehouse, because with the rapid nature of technological change, exposures will “change every five seconds”. Every time a new security measure is invented, a new hacking technique is developed to counteract it.

In terms of liability, the newness or lack of Internet-related laws “makes it very unclear if you’re doing it right or wrong”, says Samson. Her company’s legal counsel stays on top of possible issues related to the Internet, she notes. “We’re being very careful.” Companies have to stay on top not only of laws pertaining to advertising, libel, intellectual property, branding and such, but also to internal uses. In some cases, companies have found themselves involved in sexual harassment cases as a result of corporate e-mail abuses.

Discovering a company’s vulnerabilities may be the most costly part of its risk management strategy, Samson asserts. It will “require a lot of work” to identify what needs to be covered, and “it’s going to be costly” to do that. Maida agrees that risk assessment could prove costly. Many companies, he suggests, already have the resources in their own IT departments to deal with those risk s once identified.

Insuring the risks

Risk control is “the key” to dealing with cyber-risks, risk managers say. “A big part of the work is loss control and loss prevention,” says Samson. Risk control includes standard security measures such as firewalls and anti-virus programs, as well as post-loss plans to get systems up and running as fast as possible. Computer downtime should be part of “any corporate disaster plan”, notes Roberton. And risk control measures should include proper staff training, along with control of incoming and outgoing material.

Whitehouse argues that insurance for cyber-risks is not the preferable route to take. “The job is to develop quick, proactive steps…what can we do to stop from getting the ‘bug’ in the first place? Insurance is the last place I’d look.” Part of the problem is the changing nature of the risks themselves. With new risks developing at the same frenetic speed as the technology itself, it is difficult to keep pace with what needs to be covered by insurance.

Insurers are now trying to catch up to their clients’ needs, introducing new covers for the variety of cyber-risks and liabilities. Slowly, insurers are recognizing there are risks not being covered, says Seaman. “Traditional policies may not be adequate to meet those needs,” he notes, so risk managers are relying on insurers to step up and offer covers that “fill the gaps”. But “we’re still not seeing a wide variety of covers”, he says. “If the insurance industry can’t provide a product, we’re going to have to self-insure, whether we like it or not.”

Samson agrees that the insurance industry needs to be more proactive, urging insurers and brokers “to explain what the coverages are…what is required to cover us?” Insurers should see this as an opportunity to market new covers, but they need to market their products better. “We need more feedback to see what is available.”

Kerr says the ball is risk managers’ court in terms of how much insurance will be used in dealing with cyber-risks. “The question of what role insurers have to play will be dictated largely by the insured’s appetite for risk. A ‘know premium’ in exchange for an ‘unknown risk’ has always been and always will be a convenient way of dealing with uncertainty.”

A case for coverage

Just what coverage risk managers will need to seek out may still be up in the air in light of recent U.S. legal action. The highly publicized Ingram Micro case suggests companies may have more coverage for computer risks included under their general liability policies than previously thought. In the case, played out in Phoenix, Arizona, Ingram Micro Inc. sued its insurer, American Guarantee and Liability Insurance Company, to cover business interruption as a result of a power outage which shut down the company’s computer systems for about eight hours. A judge ruled that revenue lost as a result of the computer downtime was covered by Ingram Micro’s all-risk policy.

The implications of the case, which is under appeal, are unclear. It’s applicability in Canada is up for debate, although Kerr points out that the tendency in the past is for Canadian courts to look to U.S. cases to set precedent where none exists here. “I don’t see any exception to that general tendency arising out of this case.” The case certainly “opens the door” for future claims, says Samson. Hackett cautions Canadian risk managers and insurers to rely on the American precedent. There is no “pipeline to the Supreme Court of Canada to know what they will decide…they don’t have a crystal ball.”

And risk managers should not expect general liability policies to remain vague where cyber-risks are concerned, says Seaman. “If the courts interpret the insurer’s wording as applicable to something the underwriter didn’t intend, the underwriter will have to up the cost of the coverage or write exclusions in.” He compares the situation to pollution exclusions introduced into policies with the rise of environmental claims. In that case, a new breed of consultant developed to assess and recommend covers, a trend he expects to take place in cyber-risks. Risk managers cannot roll the dice and hope the courts will decide they are covered when a computer-related claim surfaces. “As a risk manager, I’d like to feel I’m going to discuss that up front with my underwriter, rather than in court,” says Seaman.

RIMS president Roger Andrews agrees. “I recommend that they [risk managers] start looking at their conventional program and not wait for litigation, as in the Arizona case. Find out if they’re covered first [before a claim is made].”

But Andrews also feels that cyber-risks may not be the minefield risk managers are predicting. The simple rules of risk management, assessment, control and cover, apply here as with any risk, he says. “It’s actually not a complex issue. If you look at the risks associated, they track with our standard risks.” The same risks, libel, intellectual property and the like, are already part of many companies’ risk management portfolios. “It’s on the minds of risk managers,” he allows, “but it will quickly pass as the number one issue.”