Raising the profile of digital risks
© lloyds.com Limited 2002
Tuesday, 7th May 2002 - DK Matai, chairman and CEO of mi2g, a digital
risk management and bespoke security architecture group, tells lloyds.com
the appetite for digital risk insurance is not as strong as it should be -
especially as such cover is usually excluded from traditional policies.
Creating awareness
Viruses, worms, denial of service attacks receive high profile media coverage
and can cost companies millions of dollars in downtime. But DK Matai, chairman
and CEO of mi2g, tells lloyds.com that many companies are not sufficiently
aware of the nature of digital risks or what coverage is available for them.
Matai regularly lectures on electronic security and defence issues and is
a specialist advisor to the International Underwriting Association's (IUA)
Digital Risk Working Party, which was established in November 2001.
What does the IUA's Digital Risk Working Party hope
to achieve?
The IUA's digital risk working party hopes to establish greater awareness
of the precise nature of digital risks and liabilities within the insurance
and reinsurance industry – both at the supplier and customer level – and their
impact on existing risk transfer solutions, as well as new mechanisms.
Since January 2002, what kind of policies have excluded
digital risks because of September 11?
Even before September 11 the issue of data exclusion and other digital liabilities
was under consideration by insurers and reinsurers for exclusion. But the
shrinking of the capital base of many players post-September 11 has galvanised
action amounting to data exclusion in the property, business interruption
and liability areas.
Are companies sufficiently aware of their digital
exposures?
Businesses are largely unaware of the ramifications of data exclusion. They
have not fully understood and quantified the cost of downtime, loss of business,
damage to brand name, share price crash, loss of data to rivals and upstream
and downstream liability. The Carlsbad-based Computer Economics Institute
has estimated the worldwide economic impact of malicious code attacks reached
$13.2bn in 2001. For example, post the recent exclusions, property insurance
cover does not include the data on a CD-ROM burned in a fire.
The value of the intellectual property on the CD may be £1m ($1.4m), but
property insurance excludes data and cover for the loss of the CD at £1 to
£10. Insurance companies would argue that property cover never covered digital
risks such as loss of intellectual property, but now they have made it an
explicit exclusion.
If a business suffers an interruption as a direct result of erroneous feeds
of data or omission of certain data, the business interruption cover may not
apply post the data coverage exclusions.
In this case, insurance companies would argue that business interruption
cover never covered digital risk such as errors and omissions, but now they
have made it an explicit exclusion.
What do you feel is the right balance between companies
adopting risk management measures and buying insurance?
Preventive digital risk management encompasses buying the appropriate insurance
cover as one of the measures from mi2g's perspective. Digital risk management
covers four key areas: Technology, people, law and insurance. Within technological
areas one would look at the configuration of computer equipment, disaster
prevention and recovery, its compliance with the ISO17799/BS7799 standard
as a benchmark, as well as intrusion detection and the speed of response in
dealing with anomalous digital behaviour patterns.
On the people side - which is the critical area as 70% of digital attacks
are due to people-related exposures - it comes down to the correct policies,
training and vetting that help to control the most unpredictable element of
digital risk without stifling creativity.
With respect to law, the issue is jurisdiction. This includes dealing with
breaches of the Data Protection Act, litigation and defence within the international
environment.
Regarding insurance, it is a case of procuring the usual business interruption,
workers' compensation, property and liability cover suites along with appropriate
specialist digital risk covers that fill the gaps created by exclusions.
Premiums have soared post-September 11, and we are finding the appetite
to buy digital risk cover is not as strong as it should be. Businesses are
cutting back even on their existing policies within this hard priced environment.
Will cyber insurance ever become ubiquitous?
Yes. Either when the government legislates and makes it mandatory, or when
there is a high profile digital disaster which makes captains of industry
at CEO or CFO level sit up and take note of digital risks and effective ways
to manage or mitigate them. According to the 2002 FBI/CSI computer crime survey,
commercial and governmental organisations are reluctant to admit breaches
– even to the police. This culture is understandable. But it will need to
change to arrive at a juncture where buying digital risk cover will be considered
acceptable.
Hackers are often part of the companies and organisations
they attack. Should fidelity risks be managed alongside digital exposures?
Yes. The biggest digital threat to organisations is from within, unless
that organisation is specifically targeted during a war by an online enemy
attacker or enemy-sympathetic attackers.
You have spoken of 'asymmetric warfare'. What is
an 'asymmetric' digital attack and how are the risks of one evaluated?
An asymmetric digital attack may be from very few individuals, but impacts
thousands - say 40% of the 40,000-strong workforce of a multinational. Most
digital attacks are asymmetric. The typical impacts of a digital attack may
be:
- Piracy: The loss of sensitive information or intellectual property.
- Surrogacy: The usurping of the electronic identity of an organisation
or individual and abusing their brand or good name.
- Denial of service: Business interruption.
- Hazards: Malfunctioning fire alarm, elevators, security cameras, air conditioning
systems.
How can such attacks be mitigated?
Digital attacks can be mitigated only through a concerted and holistic effort
to remove vulnerabilities on multiple fronts. On the technical side, mitigation
may be achieved through bespoke security architecture comprising firewalls,
intrusion detection and anti-virus toolkits. With respect to human resources,
it may be achieved through the correct personnel policy and training that
prevent social engineering, plus up-to-date employment contracts and vetting
procedures.
On the legal side, mitigation may be achieved through the appropriate adherence
to the UK Data Protection Act and service level management umbrellas that
encapsulate the appropriate security measures within service level agreements.
There is no such thing as 100% security, which is where insurance comes
in. In such circumstances, the appropriate insurance cover that deals with
business interruption, liability, property and workers’ compensation specifically
relating to data risks would be appropriate.
Has the correlation between political conflict and
digital atttacks become more evident since the NATO air strikes on Serbia
in 1999?
We have found over the last four years that most international digital attacks
not internally motivated by disaffected employees are driven by ideological
concerns. Those concerns may range from such groups as anti-capitalist protestors,
environmentalists, animal rights demonstrators, and anti-biotechnology and
genetics modification protestors to political activists who oppose a particular
government or ideology. The other primary reason is intellectual challenge.
The China-Taiwan cyber war of July-August 1999, the America-China cyber
war of April 2001 and the anti-NATO countries cyber attacks in September and
October 2001 are good examples of political conflicts that led to digital
attacks.
The one to watch in 2002 is the Israel-Arab conflict and how digital attacks
square up in the months ahead as a direct result of political tension.
______________________________________________________________________________________
To comment on this or other articles please contact lloyd's.com
at comments@lloyds.com.