The digital age continues to produce new risks needing to be assessed. Lynn Rouse reports from a recent International Underwriting Association roundtable on how best to manage these exposures
Launched in 2001, the purpose of the International Underwriting Association's Digital Risk Working Party has been to demystify electronic exposures associated with the networked society.
Globalisation of the internet society, growth of e-commerce generally, and increased political and economic turbulence around the world, have all combined to produce new exposures, necessitating heightened security practices. However, as the technology itself is constantly evolving, so too is the exact nature of digital risks. With this in mind, the IUA gathered experts around the table to debate the key issues in the sector.
Paul Skinner, chairman of the DRWP and senior information communication technology underwriting specialist with Chubb Insurance for the UK and Ireland, first asked the experts to detail how they see these risks evolving.
"New digital risks are going to be a proliferation of what is out there already," responded Chris Cotterell, director of Safeonline. "If you are looking at the more rapid uptake of the internet, we will see e-mail liability and e-mail thefts, people hacking in, and the stealing of confidential information - so copyright issues will become more prevalent. As we get more blockages around ports, caused by increased traffic, everything that sits around those blockages will be easier to get into and information compromised. This is a growing concern to insurers."
Chris Simpson, officer in charge of the Computer Crime Unit at the Metropolitan Police agreed, adding: "As more company assets and business functions move onto the network, companies are becoming increasingly reliant on their computer systems. For example, the movement towards emerging technologies, such as Voice Over Internet Protocol and tools like instant messaging typify this shift. The increased reliance brings with it business benefits but also increased vulnerability."
From a legal perspective, Andrew Horrocks, partner at Barlow Lyde and Gilbert, pointed out that many of the laws governing these risks pre-date the technology itself. "A lot of what we refer to as e-risks are just new ways for people to get into trouble - if you are talking about defamation over e-mail as opposed to print, it's the same principles that apply. The laws affecting online trading, for example, go back to well before the digital age. There are some new statutory aspects, however, with the Data Protection Act being an obvious creature of statute. To my mind that, and the whole issue of data security, is quite an important area for businesses and, therefore, insurers."
Many problems arise from the fact that information is so freely available and quickly distributable, therefore, breaches in confidentiality and security have more far-reaching effects.
Enhanced speed of communication is not the only concern - volume of information is an equal worry. "Previously, to get information out of an organisation, you had to put it into your briefcase and hope you wouldn't get searched on your way out. Now it is possible to effectively wheel out a whole filing cabinet on a USB stick," warned Dr David King, head of group information security at Aviva. "And, frankly, no one is going to detect it. That in itself is a risk. So, the aggregation of the sheer amount of information that can be shipped, coupled with increasing technologies enabling intelligent search of massive amounts of information, is clearly a concern and produces the different aspect of digital risks to those organisations faced before."
Convergence of technologies is also heightening risk. For example, what used to be a camera and a separate phone could now be one object that can also browse the net. "One of the challenges, for people such as myself, is that, if we are going to introduce information security policy and rules, what are we actually talking about when technology ceases to have a known, individual function?" said Dr King. "How do we capture that, and introduce controls that cover this meeting of technologies?
"Portability and functionality will be market driven by manufacturers keen to make money from exploiting niches, and security has got to somehow keep up with that."
Stuart Livingstone, business development director at Dionach, added: "From a technical perspective, risks are now moving away from attacks on traditional forms of defence. One of the current buzz words is de-perimeterisation - the changing of the perimeter and its depth. Questions that need to be asked are: what are we trying to secure; where does the information live; and how do we expand policies to cover these areas?
"People have been taking advantage of the vulnerabilities of the low-hanging fruit of unsecured networks and reliance on stand-alone solutions," he continued. "Companies are, to a large degree, improving on this front, however. So the low-hanging fruit is being pulled higher, and the criminals are now going after relatively untouched areas, such as application security."
Internal and external threats
Next up for debate was whether the threats relating to these new risks arise to a greater degree from internal or external sources. "Certainly all the available surveys seem to suggest disgruntled employees are the main worry, and where problems tend to come from," said Mr Horrocks. "You can have good employment contracts in place, plus e-mail protocols, and be vigilant about your information policies but you can't legislate for everything. Means, motive and opportunity are all there in greater measures internally," he added.
Mr Simpson cautioned against making any firm conclusions at this stage: "We are talking about such a low level of reported incidents that trying to scale them up to produce a pattern would be virtually impossible."
The preparedness of firms for fast-spreading virus attacks, such as the Love Bug virus, underlines the absolute need for good contingency planning, according to Dr King. "There is still a question mark over whether you can get anti-virus patches out in sufficient time to deal with all the latest variants," he said. "If a patch does not exist and the latest variant comes out, you are vulnerable. Therefore, organisations must have effective incident response - comprising more than just IT and security - so they know exactly what to do until such time as they can get the patch from the vendor."
Mr Cotterell agreed: "Insurers are looking to ensure that companies have good plans in place for patch management, because insurance will cover them for the time before a new patch is available from the vendor. When there is no management of this situation it becomes a problem."
Denial of service attacks then came under the microscope. "These focused attacks can be damaging to reputation but also the sustainability of a business model is called into question," said Dr King, asking the other guests for their opinions on DoS attacks, "are they becoming more prevalent and more focused? Will terrorists use these in anger in future?"
Mr Simpson responded by saying: "The technology is out there and is getting easier to use. You can buy virus-writing kits online, you can develop your own robot network of comprimised machines and point it at whomever you want to attack." Even taking a company offline for an hour is really going to hit its revenue stream, he said, underlining the importance of companies demonstrating and documenting their protective strategies, detailing how they have assessed the risk of this particular threat, and what they have done.
First and third-party losses
At this point Mr Skinner put a new question to the panel: what is the most significant for insurers - first or third-party losses?
Proposing that first-party could be more significant, based on the previous comments about disgruntled employees causing disruption, David Walsh, managing director of CFC Underwriting, replied: "From a top line perspective, I would argue to the contrary and say that third-party losses have the greater potential for severity. However, the real threat from a first-party standpoint, is a Love Bug virus with teeth, a Love Bug with a real payload - as this could cause a catastrophic sideways loss. However, such virus attacks only tend to translate into real numbers if they hit big companies and organisations."
Fear of the unknown was suggested as a problem with third-party losses. "Since the Love Bug virus, people have got a lot better at the incident side, the clean up, and their ability to get businesses back up and running," said Mr Cotterell. "With the third-party aspect, however, such as people claiming for 'hurt' over the internet, and the subsequent lawsuits, you just can't quantify the potential payout. We could see costs spiralling upward and, therefore, third-party losses become more concerning from an underwriting standpoint."
How significant will the threat of ID theft prove, and can insurers help tackle the problem?
Although diverging opinions were voiced about new insurance products available to cover individuals for the cost and time of re-establishing their identities, the most significant issue for insurers surrounds their indemnifying of companies holding vast amounts of personal data. If such information is hijacked by criminals to generate significant revenue, Mr Simpson warned: "That then poses some real issues for the data holder, as they have potentially breached their responsibilities under the DPA making them susceptible to claims from third-parties, such as banks and other financial institutions." If they did not have sufficient protection in place, guests agreed, the stealing of such information could result in a severe financial hit in terms of third-party liability.
Mr Horrocks added: "On the other hand, if they are adhering to industry-standard security, this could help their defence when accusations of negligence are made."
Dr King pointed out: "This brings a challenge to all of us: how do we establish the identity of an individual; how much verification and validation do we need to do?"
Mr Simpson suggested that introducing two-factor authentication in the UK could help.
So how should risk assessment, when it comes to information security, evolve? Mr Livingstone argued that perhaps it is more important to first ensure companies are employing effective policies - before worrying whether these are evolving. Regarding the recognised standard of BS 7799 specifically, he commented: "Uptake in certification has been relatively slow. When I last checked, there were only 200 or so companies, or parts of organisations, listed as being fully certified."
Dr King explained, however, that many organisations claim to be compliant with BS 7799 without physically going through the certification process, as this requires significant investment. "If an organisation chooses not to go down the certification route, at least it is a conscious choice and they know which bits have been left out." He advocated taking a risk-based view to identify spending needs and said that BS 7799 provides a useful framework of best practice.
Where the bar is set for standards is also crucial, said Mr Livingstone, something that concerns him at the moment:. "We have seen cases where the level is set right down at the lowest common denominator."
Explaining that, as a free test for potential clients, his company carries out a limited online attack from a external perspective, he referred to the outcome of one such test with an online trader.
"We were able to compromise their system in a way that would not even have been touched by what their standard was asking for in terms of checks and vulnerability assessments. Where the bar is being set, and the level of checks required, are often just not good enough to stop people heading into company systems or exposing credit card details and other personal information."
Mr Skinner then raised the problem of how to benchmark smaller companies: "BS 7799, for example, could well be too confusing or complicated." Mr Walsh added that, while the highest standards would be expected from a financial institution, a more realistic approach is required for smaller companies. "If we insisted on clients adhering to BS 7799, we would soon find ourselves with no clients. So we need to be pragmatic about our requirements."
Mr Horrocks, however, pointed to a valuable compliance spin-off: "There is the potential for a third-party claim if there has been a security breach, and an organisation is thought to be at fault. In this scenario, compliance with such a standard will very much help that organisation's defence. It may not have done everything possible but it will be able to demonstrate that it has done everything reasonable and so has not been negligent."
So, can insurers and the security industry keep pace with the new threats, asked Mr Skinner.
The consensus was a definite no, and Mr Livingstone explained why: "There is always going to be a gap. Where new threats and vulnerabilities arise, the security vendors will spot them, devise a solution and release it. The bad guys will have the advantage by being there first, however. It would be impossible to engineer every threat out of existence in the IT world but there is also a big commercial driver behind the security industry to keep up with emerging threats, and stay on top of them."
Mr Simpson stressed that IT-related threats must be viewed in the context of wider threats faced by businesses and Dr King agreed: "If you broaden security to encompass business continuity and crisis management, you can then judge information security threats and their potential cost in context. It is absolutely critical, not least for the credibility of security departments, to keep that balanced view."
To conclude, Mr Skinner argued that there must be a direct reporting structure into the main board, so that the issue is not IT but security - internal and external. "This is very important to stress, as budgets are often thought of as pure IT budgets when they are not. How many security officers report directly to their boards? This is a question we, as an insurer, have been asking for many years."
Chair: Paul Skinner, chairman of the Digital Risk Working Party and senior information communication technology underwriting specialist, Chubb Insurance
Chris Cotterell, director, Safeonline
Scott Farley, PR manager, International Underwriting Association
Andrew Horrocks, partner, Barlow Lyde and Gilbert
Dr David King, head of group information security, Aviva
Stuart Livingstone, business development director, Dionach
Chris Simpson, officer in charge of the Computer Crime Unit, Metropolitan Police
David Walsh, managing director, CFC Underwriting.
- Roundtable: Is a single customer view taking off in insurance?
- O’Connor replaces Fairchild at the helm of Broker Network
- Home insurance insurtech Buzzvault launches
- Stackhouse Poland makes fourth acquisition of the year
- Aviva promises to 'reinvent' insurance and end dual pricing
- CBL Corporation expected to be placed in liquidation, sees further delays to watershed meeting
- Ed unveils CEO Hearn’s replacement and plots Bermuda office