[iwar] [fc:Cyberinsurance:.As.the.risk.increases,.so.will.the.interest.in.policies.and.the.cost.of.premiums.]

From: Fred Cohen (fc@all.net)
Date: 2001-11-29 17:12:08


Return-Path: <sentto-279987-3984-1007082616-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 29 Nov 2001 17:13:08 -0800 (PST)
Received: (qmail 7791 invoked by uid 510); 30 Nov 2001 01:10:43 -0000
Received: from n7.groups.yahoo.com (216.115.96.57) by all.net with SMTP; 30 Nov 2001 01:10:43 -0000
X-eGroups-Return: sentto-279987-3984-1007082616-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.1.221] by n7.groups.yahoo.com with NNFMP; 30 Nov 2001 01:10:18 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 30 Nov 2001 01:10:16 -0000
Received: (qmail 96037 invoked from network); 30 Nov 2001 01:10:13 -0000
Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 30 Nov 2001 01:10:13 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 30 Nov 2001 01:10:12 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAU1C8C14949 for iwar@onelist.com; Thu, 29 Nov 2001 17:12:08 -0800
Message-Id: <200111300112.fAU1C8C14949@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 29 Nov 2001 17:12:08 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:Cyberinsurance:.As.the.risk.increases,.so.will.the.interest.in.policies.and.the.cost.of.premiums.]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit

Cyberinsurance: As the risk increases, so will the interest in policies and the cost of premiums.

By Colleen Brush, Information Security, 11/29/2001
<a href="http://www.infosecuritymag.com/articles/november01/industry_cyberinsurance.shtml">http://www.infosecuritymag.com/articles/november01/industry_cyberinsurance.shtml>

Since its inception, cyberinsurance has been billed as a way for
companies to underwrite potential hacking losses for things technology
cannot protect. The concept of insuring digital assets has been slow in
catching on because the risks and damages were hard to quantify and put
a price tag on.

The Sept. 11 terrorist attacks quickly elevated corporate America's
interest in cyberinsurance, as industry magnates looked for ways to
mitigate their exposure to cyberterrorism and security breaches. At the
same time, it has become harder to find underwriters willing to insure
multimillion-dollar cyberspace policies. For carriers willing to sell
such paper, the premiums have skyrocketed.

"I think prior to Sept. 11, the focus, when it comes to information
security, has been on critical infrastructure," says Jeffery S. Grange,
VP and global manager of fidelity financial products at insurance
company Chubb &amp; Sons, Inc. "Post-Sept. 11, it has shifted to homeland
defense and trying to understand whether or not financial institutions
and other critical infrastructure such as telecommunications are
vulnerable to cyberterrorism."

Insurance stalwarts such as Lloyd's of London, AIG and Zurich now offer
policies for everything from hacker intrusions to network downtime. The
breadth of cyberinsurance policies is growing, from simple hacker
intrusion, disaster recovery and virus infection to protection against
hacker extortion, identity theft and misappropriation of proprietary
data, Grange says. 
While the market was already moving to provide policies to cover these
risks, many executives viewed cyber-insurance as a luxury that yielded
few tangible benefits. Ken Cutler, managing director of the Information
Security Institute (www.misti.com), says many risk managers buried their
heads in the sand, believing they would never need anything like
cyberinsurance.

"There was a naivete on the part of senior management," Cutler says." IT
managers were not willing to admit they had to fix something of that
magnitude, because they are afraid to go ask for the money."

The aftermath of the attacks illustrate the interconnectedness of all
systems; financial services, information and communications,
transportation, electrical power, fire and police, says Lee Zeichner,
president of LegalNet Works. 
"They all relate in profound ways we are only now beginning to
understand," Ziechner says.

Businesses are starting to think about what type of recovery position
they would be in if something similar to the World Trade Center attack
happened to them, industry analysts say.

"Some of the disaster recovery plans I have seen, more often than not,
I'm not sure they would do quite well as an American Express or Merrill
Lynch did," Cutler says. 
While the cyberinsurance market may reap growth in the wake of the
tragedy, carriers are tightening the terms and conditions of policies.
Premiums are going up significantly, and underwriters are hesitating to
sign big policies, industry experts say.

In the past, companies seeking a $25 million policy could find someone
to cover them. Now, it's much more difficult. Underwriters who didn't
blink at $5 million or $10 million policies would rather insure $1
million policies, say cyberinsurance brokers.

"The marketplace is in transition, and there's undoubtedly a hardening
of trading conditions for both traditional property and casualty
insurance, as well as the emerging new e-commerce products," Grange
says.

Premiums on cyberinsurance are an easy mark for price hikes because
there's little historical data on which to set premiums. It's difficult
to pinpoint the losses if data is corrupted, a network is hacked or
system uptime is disrupted. The fear of bad publicity keeps many
companies mum on hacking incidents, which makes it more difficult to
collect data for projecting future losses.

In order to develop robust cyberinsurance, two major developments need
to take place, Zeichner says. First, sufficient actuarial data needs to
be collected. Second, insurance carriers need to gain a better
understanding of the IT systems in use and how they interact with other
information and automated systems.

Industry analysts predict underwriters will push any changes in
cyberinsurance offerings and the systems used by policyholders. The
first indication of this trend came earlier this year when J.S. Wurzler
Underwriting Managers tacked a 5 to 15 percent surcharge on
cyberinsurance premiums for users of Windows NT on IIS servers, citing
their poor security track record, which makes them more expensive to
insure.

"I think the underwriters are going to force the issue by saying, 'Look,
if you lose your whole business, if things like that happen, you can
expect to pay a higher premium,'" Cutler says.

COLLEEN BRUSH (<a href="mailto:cmbrush@hotmail.com?Subject=Re:%20(ai)%20Cyberinsurance%2526In-Reply-To=%2526lt;200111291421.fATELqa22402@smtpsrv2.mitre.org">cmbrush@hotmail.com</a>) 
is a business reporter for the
MetroWest Daily News in Framingham, Mass. She has nearly 10 years
experience in print journalism and public relations.

------------------------ Yahoo! Groups Sponsor ---------------------~-->
Universal Inkjet Refill Kit $29.95
Refill any ink cartridge for less!
Includes black and color ink.
http://us.click.yahoo.com/3FDzZA/MkNDAA/ySSFAA/kgFolB/TM
---------------------------------------------------------------------~->

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST