By Alex Salkever The past six months have been tough on the insurance industry. Claims resulting from the September 11 terrorist attacks have totaled into the tens of billions of dollars. At the same time, insurers are struggling to recover from a decade of price wars that left reserves depleted. But one tiny part of this sector is going great guns -- the e-business insurance market.
This broad rubric covers policies that address threats new to the Digital Age, including virus attacks, denial-of-service assaults, cracking into company systems, and Web-site defacements. Some companies even write policies that cover cyber-extortion, where an online intruder or an insider steals crucial data such as customer credit-card files and demands a payoff. The rising tide of lawsuits against companies whose employees have used corporate e-mail inappropriately has also caught the attention of e-insurers.
The repercussions could be sweeping. Why? Because insurers will probably become a major force in shaping the computer- and network-security business. They'll likely mandate what types of security practices, providers, and products are acceptable, just as they've shaped practices and products in the construction and auto industries. "Things like CodeRed [a computer worm that appeared in July, 2001] are happening so often now that cyber-insurance will become ubiquitous. Then [insurance] price differentials will appear for different types of software," says Bruce Schneier, chief technology officer of Counterpane Internet Security.
BILLION-DOLLAR BUSINESS. From a standing start two years ago, revenues from policy purchases grew to just shy of $100 million in 2001, according to insurance execs. "This will be at least a $1 billion market by 2007," says Ty Sagalow, chief operating officer of American International Group's eBusiness Risk Solutions Group.
He should know: AIG (AIG) holds approximately 70% of the global e-insurance market and has written 1,500 policies for companies ranging in size from small businesses to giant corporations. AIG is best positioned to influence security software standards, and it's already doing so.
Other major players such as Chubb (CB) and Zurich North America (ZFSVY) now offer their own policies. Such coverage isn't cheap: A typical policy costs hundreds of thousands of dollars annually for only tens of millions of dollars worth of coverage. But these policies could become a mandatory cost of doing business in the next five years.
APPROVED SOFTWARE. Security experts point out that in the past few months several insurers, including AIG, have rewritten some of their general business coverage to specifically exclude cyber-hazards. "I would make an argument that most of them never did intend to cover it. They have just clarified matters," says John Wurzler, vice-president for worldwide sales at cyber-insurance broker Safeonline. Plus, two recent court cases have upheld insurance companies' claims that standard business policies don't cover damage to data and other nontangible business assets.
These developments set the stage for insurers to begin setting de facto security standards for customers. As part of AIG's NetAdvantage policies, it offers customers a 10% discount on security software from Computer Associates (CA), according to AIG's Sagalow. "What we prefer to do is look at a piece of software and believe that if it lowers the risk for our insurance, we make it available to them," he says.
AIG has also partnered with managed security-services company RIPTech. Zurich Financial Services Group customers are encouraged to work with the insurer's managed security-services partner, TruSecure. And according to Counterpane's Schneier, his customers can get much lower rates on cyber-insurance from underwriter Lloyd's.
RISING PRESSURE. The same cost incentives can be extended to other services, such as data hosting. Witness the deal big insurance broker Marsh McLennan (MMC) struck in July, 2001, with communications giant AT&T (T). Companies that use AT&T's Internet data centers and managed Web-hosting services get a discount on e-business insurance from Marsh, as well as streamlined policy approval.
That's the wave of the future, as insurers exert even more pressure on the technology practices of any company wishing to insure this increasingly important facet of business. Schneier, for one, thinks that insurers will demand responsibility from software companies for flaws in their products -- and that they'll have the legal firepower to hold the software outfits accountable.
For now, insurers are more concerned with existing practices than they are about demanding specific software packages, say industry execs. And only a small percentage of companies have invested in cyber-insurance to date, by some estimates, less than 20%. Many still don't see the need for this type of coverage. "It's much cheaper to buy business-income insurance that can cover when there's a fire than it is to buy business-interruption insurance to cover when there's a hack," says Mike Zeldes, head of the cyber-insurance division of Kaye Insurance Associates, part of Hub Group.
As cyber-insurance goes from exotica to a business necessity, the computer-security industry will have to adapt to keep the insurers happy. That's good news for customers, since it will not only allow them to manage their cyber-risk but also give them a strong advocate for more secure software and hardware. The question is: How far are they willing to open their wallets? Salkever covers computer security issues weekly in his Security Net column, only on BusinessWeek Online