Agency Web sites and other elements of e-business create new risk. Hackers, for instance, may find a way through the firewall and steal or modify data. Risk management offers some solutions and e-Business policies provide coverage.
What's especially interesting about e-business exposure is that your business customers face it as well. They need help understanding the risks, how to minimize them, and coverage to insure against them. E-business exposure is a two edged sword. On the one hand, it's a bother; on the other, an opportunity to create new value and new sources of revenue.
e-Sher Underwriting Managers
I had a chance recently to visit with Philip Pierson, founder and manager of e-Sher Underwriting Managers, one source of e-business insurance. His group helps agencies understand e-business risk and its management and provides relevant coverage. But perhaps more importantly, they supply the tools agents need to provide the same analysis, management, and insurance for agency commercial lines customers. Since most businesses don't understand the risks associated with e-business or how to manage and insure against them, agents who offer help in this area can distinguish themselves from the competition, provide brand new value to their customers, and generate additional premium.
Is the threat real?
We hear a lot about viruses, security breaches and the like but how real are these threats? Are they rare or common? Does risk management and relevant insurance really matter? If you had trouble in the last year with the Love virus, or more recently with the Code Red worm, you've had direct experience. If your computer system is connected to the Internet and you have a firewall (software that detects and rebuffs intruders), you can see for yourself.
I run Black Ice firewall software on my system. Whenever I'm connected to the Internet and an intruder tests my system looking for a way in, Black Ice protects my system and also let's me know that someone has been trying to get in. When I installed the software about a year ago, I thought intruders would be few and far between. In fact, several times an hour a hacker someplace in the world tests my firewall. There must be thousands of hackers out there working hard to penetrate the defenses of the tens of millions of computers attached (full or part-time) to the Internet.
How big is the problem nationally? How much money is lost? How many companies are affected? According to e-Sher, attacks cost some companies hundreds of millions of dollars per year and the cost is rising. In one survey, 70 percent reported network intrusions. One calculation suggests this year's aggregate annual cost will exceed $1.5 trillion. Whatever the real numbers, the threats are real and rising.
Categories of risk
What categories of exposure does your agency face when pursuing Internet-related business opportunities? e-Sher points to six areas of concern:
Virus attacks: The Love virus that originated in the Philippines, created by a relatively unsophisticated hacker, spread across the U.S. and the planet like wildfire. More recently Code Red caused problems to Cisco routers that lingered for weeks, disrupting Internet traffic. And lately reports suggest that even Adobe Acrobat PDF files may become subject to viruses, a surprise to many experts who considered them safe. Though an agency or other business can survive a virus attack, putting computers and networks together afterward can take a great deal of time and technological effort. That can put a business out of business temporarily -- at great cost to credibility, the ability to take orders, and in customer service effectiveness.
Denial of service attacks/electronic sabotage: Last year, eBay and other e-businsses were effectively shut down by denial of service attacks. Apparently not difficult to initiate, denial of service isn't an attack on a Web site itself, but on the ability for customers to reach it. Hackers take control of hundreds of computers and cause them to fire millions of requests at a site in a short period of time. The site's servers can't handle the requests fast enough and become clogged up, unable to perform their normal duties. Sometimes shutting down the site until the storm passes is the only way to handle the problem. Denial of service attacks can even affect the performance of the Internet generally.
Security breach/cyber-terrorism: In a security breach, the hacker finds a way through the firewall and gets access to sensitive systems that lie behind it. Every so often the press reports that one or another Federal government site was breached, sometimes resulting in malicious mischief to the site.
Netspionage: Some hackers want to demonstrate their skills and the ineffectiveness of security measures intended to defeat them. Others have a business purpose in mind. They want to steal confidential information from a company network and then use or sell the information.
Fraud/Modification of service: We've all seen reports during the last few years of credit card files stolen from merchant systems and then used to generate revenue for a hacker. In some cases the theft and use of credit card information wasn't detected for several weeks -- making follow-up and tracking more difficult.
Equipment/software failure: Even without malicious individuals bent on attacking a business through its technology extensions, the technology itself may fail -- often without warning -- leaving Internet users stranded and unable to complete sales or service transactions.
Who's at risk?
It isn't just Internet pure-plays that are at risk. Any agency (or business) that uses the Internet runs the risk of attack, extra expense, and lost revenue. And perhaps more importantly, some situations could result in the creation of significant liability -- enough that a successful lawsuit could result in the demise of the business.
Traditional coverage
Some agents and business believe that traditional business polices will adequately cover e-business risks -- or will with the addition of an endorsement or two. According to Pierson that's an unrealistic view. Traditional policies simply never anticipated the phenomena of e-risk.
Pierson suggests that agents should look at four areas (for themselves and each of their business insurance customers): Though one might expect that media liability and E&O coverage would handle Web page building and confidential information/online financial transaction risks, they may not. In addition, E&O covers individuals, not the business itself and so may not cover online operations. ASPs, software vendors, and other service providers may be able to excuse themselves via standard contract wording. Only their explicit acceptance of the transfer of risk will suffice. And finally, business interruption service may not cover e-business exposures.
e-Sher suggests agents focus on two coverage areas: first-party damage and third-party liability. Any of the problem areas outlined above could result in loss or liability. e-Sher and other e-business insurance suppliers can provide risk analysis templates that can help agents identify areas of exposure their business customers face.
One source of expertise on prevention and relevant coverage is the underwriters who handle e-business risk. Once you know what to look for you can help your customers identify their exposures and then reduce and/or insure them. e-Sher suggests that agents interested in providing e-business risk management and coverage should become familiar with technology, security issues, case studies and the like. Since not all agents have the time or inclination to do so, those who do will acquire a competitive advantage over those that don't. And since e-business activity will continue to grow rapidly -- not just from dotcoms (that survive) but especially from brick and mortar businesses -- e-business insurance will expand as an area of opportunity.
All the more reason to avoid the Internet?
If contemplation of thousands of hackers all over the world trying to destroy or at least disrupt your agency doesn't give you the creeps, it should. But that doesn't mean you should or can avoid doing business through the Internet. There is just too much potential advantage, and risk can be reduced and insured against. If you make the effort to understand and take care of your own situation, you'll be in a good position to help your customers do likewise. You can use that expertise to sell against the competition not willing to enter the scary 21st century and you can generate more revenue per client -- a worthy goal.
For more information on e-Sher, see www.e-sher.net.
© Copyright 2001 by Sound Internet Strategy. All rights reserved