Coming To Grips With Internet Risk

As businesses realize the importance of insulating themselves from Web-based loss and liability, carriers have begun offering coverage for e-commerce risks.In October 1998, eBay Inc. was forced to take a dubious action mostInternet companies try desperately to avoid-it suspended a member's accountfor "misconduct."

Allegedly engaged in shill bidding-artificially inflating the price ofone's own possessions to enhance its selling price-the Chicago-based membercircumvented the suspension by creating multiple false electronicidentities to gain access to the site, eBay claims.

While executives with San Jose, Calif.-based eBay consider both shillbidding and misrepresentation to be onerous, the company soon faced a thirdcrisis: eBay claims the user overloaded its Web site with information,causing it to crash and jeopardizing eBay's business activity with its 12million members. In July, eBay sought a temporary restraining order in aU.S. district court to prevent the individual from visiting its Web site.

With exposure that ranges from hacker attacks and computer e-mailviruses to trademark infringement and copyright disputes, eBay's experienceillustrates the risk that all companies-including insurers-face every dayin conducting business on the Internet.

Indeed, as so-called insurance Web marketplaces and carrier Web sitescontinue to enable their customers to complete transactions via theInternet, the gathering and exchange of personal data has proliferated.Moreover, credit cards are often the preferred mode of payment. As aresult, carriers run the risk of having this proprietary data fall into thehands of unscrupulous parties.

Complex risk

In a brick-and-mortar environment, identifying risk and determining theextent of damage incurred is often more cut and dried. On the Internet,it's far more complex.

But several pioneering carriers have addressed the problem by offeringall-risk coverage for Web-based risk exposure. Functioning as a gap filler,these policies fill in the areas that commercial general liability policiesfail to cover.

Once prohibitively priced, policies for e-commerce risk are now moreaffordable to many businesses through more sophisticated underwriting toolsand more creative marketing techniques. What once might have been a seven-figure expenditure now costs a company with revenues of about $1 billionabout $25,000 a year, according to the Insurance Information Institute, NewYork.

"Anyone thinking that that they can rely on standard insurance formswith Web-based risk exposure is taking quite a bit of risk themselves,"says Michael Donovan, an attorney who oversees the technology group forHancock Rothert & Bunshoft, a San Francisco-based law firm.

And, despite the increasing number of sophisticated attacks on Websites and the proliferation of increasingly destructive e-mail viruses, fewcompanies are taking time to adequately focus on whether they haveinsurance for the array of risks they face in the world of e-commerce, saysLaurence Eisenstein, an attorney with law firm Swidler Berlin, Washington,D.C.

"Companies assume their traditional insurance is adequate to addresscomputer and internet issues without engaging in a thorough review of theexisting coverage," he says.

High-profile cases of risk exposure on the Web are forcing businessesto wake up to the reality of Internet-based coverage. The "Love Bug"computer virus that attacked e-mail servers across the U.S. in June calledattention to what's become a festering problem.

Similar to risk that's absorbed while doing business offline, abusiness operating on the Web aims to avert first-party and third-partyexposure. First-party exposure reflects damages incurred by the businessitself. An example of first-party loss is a company that loses a day'sworth of business on the Internet due to a computer hacking incident or thespread of a virus.

A third-party loss may occur if a business that's providing an Internetservice to a third party suddenly experiences a network shutdown caused bya computer security breach. In that event, the third party may sue or tryand recoup losses stemming from that breach.

Separate from a hacking attack or a virus, a business can also incurthird-party liability involving a Web-based content issue, such astrademark or copyright infringement, plagiarism, defamation of characterand slander.

In the past 12 months, several third-party cases of risk exposureinvolving a company's Web site activities have given rise to the need fore-commerce risk coverage. Three incidents include:

-A trade association posted files that contained copyrighted clip arton its Web site. The company owning the copyright for the artwork sued theassociation for copyright infringement.

-A dance center listed a former employee's name as a contact person onits Internet site. The individual brought suit against the center allegingunauthorized use of her name for advertising purposes and invasion ofprivacy.

-A company launched a Web site that featured unfavorable remarks abouta competitor. The competitor sued, alleging defamation.

The most vigilant businesses are acutely aware of their vulnerabilityto Web site risk. A computer crime survey by San Francisco-based ComputerSecurity Institute reported that 90% of the 300 respondents stated they haddetected security breaches on their Web sites within the last 12 months,with 70% classifying them as "serious."

These companies are more likely to research and acquire all-riskpolicies to protect their Internet initiatives. However, the concept of e-commerce risk often lulls companies into a false sense of security. In mostcases, Web-related attacks assume a low profile, Donovan remarks. "Mostcompanies tend to not publicize these incidents for fear they'll be atarget for a would-be hacker," he adds. "Since the numbers are notpublicized, companies that have Web sites fail to grasp the magnitude of asecurity breach. As a result, many remain lax and fail to explore theiroptions for protecting their Web franchises."

Better leverage

As more businesses become aware of Internet risk, carriers will havebetter leverage in marketing specific products, industry analysts project.As it is, the pioneering insurers of e-commerce risk products and servicesare moving forward in mastering the challenges of writing these policies.

"It's far more challenging to draft this type of coverage," states LeibDodell, media and intellectual property underwriting manager, ChubbExecutive Risk, a subsidiary of Chubb Group of Insurance Cos., Simsbury,Conn. "Developing a rating protocol was difficult since there were noactuarial numbers to use as benchmarks."

The inherent problems with e-commerce insurance is that the risk ishard to quantify, Donovan says. If someone steals a computer under acommercial general liability policy, it's covered; if someone steals thedata, it's not. In launching e-commerce risk coverage, carriers haveperformed surveys prior to underwriting these policies to better manage therisk. Surveys are expensive, though, and end up being passed on to thepolicyholder in the premium costs.

"This is a very uncharted area right now," Donovan says. "Some of themost comprehensive policies now combine coverage, but until recently all ofthese specific coverages would have to have been purchased separately."

Last February, Chubb Executive Risk launched an Internet-basedliability insurance product called Safety 'Net that offers companies amedia liability insurance policy designed to cover exposures occurring on aWeb site and via e-mails.

Taking six months to develop, Safety 'Net is an outgrowth oftraditional offline media liability coverage. "Over the last two years, Websites have become more sophisticated when it comes to content," Dodellexplains. "So we took traditional commercial general liability as itpertained to the media and 'morphed' it so it could address third-partyInternet risk."

Chubb thus far has received 500 submissions for information on Safety'Net, and 10% of the inquiries have been parlayed into actual policies,Dodell states. With its policyholders including retailers, law firms,insurance agencies and public utilities, Dodell expects the number ofSafety 'Net policyholders will increase over the next 12 months.

The key to increased penetration will be providing low costs along withcomprehensive coverage. "We provide coverage for any claim arising out ofInternet activities, which is broadly defined as the dissemination or useof matter on the policyholder's Web site, or the transaction of businessover the site," Dodell explains.

A premium for a Safety 'Net policy can be secured for as little as$1,500 a year, and for $15,000 a business can receive $1 million in medialiability coverage. Chubb also expects to add more products. "We will havea policy available at the end of the year that covers first-party risk,"Dodell says.

Creative marketing of Web-based insurance products is also helping tocontain costs. One new wrinkle to risk policies that cover Internetbusiness is a bundling program that provides the coverage if a policyholderoutsources its Web security initiative to a third party.

Counterpane Internet Security, an Internet security services providerbased in San Jose, Calif., is making risk insurance available to itsclients and their customers. Specifically covering an attack itself, theinsurance policy protects against loss of revenues and information assetscaused by Web-based security breaches.

Offered by Lloyd's of London and underwritten by insurance brokersFrank Crystal & Co. and SafeOnline, London, England, the program offerslower premium costs since policyholders are using Counterpane as anoutsourced security provider. This in turn minimizes the overall risk.

As a result, the program can offer $1 million of protection in theevent of hacker losses at a $20,000 annual premium, and cover $10 millionin losses at a $75,000 premium. The program offers up to $100 million incoverage, but it must be negotiated with Lloyd's.

Counterpane's customers can apply for two programs; the first ismarketed as the Internet Asset and Income Protection coverage. It providesinsurance for loss of, or damage to, information assets-data, customerlists, credit card numbers, budgets, proposals, work papers, or any otherdigital information-resulting from a breach of security or technologyfailure. The insurance also covers business interruption due to loss of useresulting from a breach of security.

The second program allows Counterpane's clients to extend the InternetAsset and Income Protection coverage to their own customers, says TomRowley, Counterpane's president and CEO.

No stone unturned

How large a market e-commerce risk insurance becomes is contingent onseveral X-factors. Cost containment will drive up participation, and costswill remain low if carriers can push the right buttons, analysts predict.Keeping the number of claims and settlement amounts in check will be key.

Since rolling out a Web-based risk insurance product in November 1998,New York-based Reliance National has had few-if any-claims to settle,Eileen Miles, a spokeswoman for the company, says. Reliance's program,which was originally marketed as InsureTrust when it was launched two yearsago, provides payment of defense costs, settlements, judgments and otherlegal expenses associated with covered computer network liability claimsbrought against insureds.

Reliance's program also applies to liability from computer securitybreaches regardless of whether hackers are external sources or employees,Miles says.

One key to whether businesses embrace policies governing e-commercerisk will be depth and diversity. These components, Dodell of Chubb RiskExecutive says, will win over businesses that are currently sitting on thefence. Safety 'Net features an "all risk" insuring agreement, offeringcoverage for online exposure that occur from the dissemination of contenton the policyholder's Web site. Other policies may be limited to aspecified list of named perils.

"Given the uncertainty of the legal rules governing the Internet andthe types of legal claims that will be generated by Internet activities, aninsurance policy that is limited to specified 'named perils' is a riskyproposition," Dodell says.

Like any other new insurance product, Dodell says that it will beincumbent on a carrier's sales force to communicate the individualcomponents of Web-based risk insurance coverage to companies that conduct alot of business on their Web sites.

But it's still a work in progress. "Even as recently as one year ago,it was difficult to explain this coverage to the average business owner,"Dodell says. "Many were not cognizant of the risk exposure present withoperating a Web site, while others might have been aware, but felt theywere bullet proof.

"There have been tremendous strides made with this type of coverage,and we really believe the sky is the limit as to how far this industry canexpand its use," Dodell says. "But for many agents and brokers it's still achallenge marketing it to owners of Web sites."

For reprint and licensing requests for this article, click here.
MORE FROM DIGITAL INSURANCE