continued from page 6

For that reason, it is imperative to properly vet employees who will have access to sensitive information, from part-time employees to executives. A part-time employee can compromise confidential data just as effectively as a skilled hacker. Besides their own employees, companies should make sure that any technology vendors that they use also vet their own employees, including running criminal background checks.

Protecting Data Outside the Enterprise
Data becomes more vulnerable when it leaves a company’s systems, so particular care is needed when shipping physical copies of confidential information to make sure that records are kept safe through every step of their journey. Because digital technology allows the storage of massive amounts of data in a small space, media such as disks or tapes containing information can easily be misplaced or stolen. Companies need to make sure that they keep track of all physical copies of any kind of data while in transit.

Check Shippers’ Security Standards
In two separate incidents in 2005, one major bank reported that computer tapes containing account data on 3.9 million customers had been lost in transit, while another major bank said it had lost computer tapes with data on 1.2 million customers.(39) To avoid such incidents, companies need to make sure that their shippers adhere to adequate standards to protect back-up tapes and disks in shipment. Measures can include barcodes or radio frequency identification tags to enable the constant tracking of physical copies of data in transit.

Confirm Outside Contractors’ Security Measures
As more and more companies seek to cut costs by outsourcing information-technology functions to domestic and foreign contractors, they often fail to take into account the risks that come along with sending vital business processes or confidential data outside the company. Companies need to carefully assess potential contractors to make sure that their data security standards and measures are strong enough to protect their clients.

Vet Your Vendors
Companies should ask potential vendors to detail their formal records-management process. They also should ensure that vendors meet applicable legal and regulatory standards and should check to see if a potential contractor has a history of violations. Once a deal is signed, managers should demand regular status reports on security from their technology vendors. Companies that don’t adequately vet a potential IT vendor may find that their new risks far outweigh the potential cost savings.

Insuring Cyber Risks
Even the most rigorous data-security measures cannot prevent all losses, such as those from a socalled “zero-day” attack, where hackers exploit a new vulnerability that software vendors have not yet had the opportunity to patch. While many companies have made strong moves to strengthen their data security, far fewer have taken advantage of risk transfer opportunities offered by the insurance industry. According to the 2005 CSI/FBI Computer Crime and Security Survey, only 25 percent of respondents (in a group of security-focused companies) had purchased insurance to cover their organizations against cyber risks.(40) That relatively small market penetration may be due to both a lack of appreciation for the severity of the emerging cyber risks and a lack of knowledge about the new coverages available.

Just as it has taken time for businesses from banking to retailing to adopt and adapt to new technology, so it has taken the insurance industry time to understand the new risks and to assess the potential pitfalls and opportunities. While insurers have long experience with traditional property and casualty risks such as fires, floods, and theft, technology has magnified some traditional risks in unexpected ways and created entirely new exposures.

New Risks Require New Insurance Products
Before the Internet, thieves would have to steal one credit card number at a time or perhaps break into an office to steal files filled with personal information. Now, criminals can extract information on thousands of accounts in seconds from thousands of miles away. Besides loss from theft, the insurance industry has had to recognize the potential for class action lawsuits, damages, and losses caused by network shutdowns and by the misuse of intellectual property. As insurers have recognized the scope of the risks, they have begun to develop specific products to deal with the new exposures.

Hurt by its past experience of providing coverage for poorly understood risks such as asbestos and pollution claims, the insurance industry has been seeking to avoid repeating the mistake with regard to digital exposures. Reinsurers have become particularly wary as the potential for accumulation of losses with no geographic limits or legal boundaries has become apparent. A major worldwide virus, for instance, could cause massive losses around the world, potentially leaving a reinsurer on the hook for large payments.

Over the last few years, insurers have gone through a process of separating the new risks from the traditional ones. Initially, the new exposures were handled through traditional lines of coverage, but the industry has since excluded cyber liabilities from standard policies. Standard ISO general property and liability forms have been rewritten to affirmatively exclude cyber exposures. In addition, larger insurers have excluded cyber exposures from their standard forms. Because they cannot accurately price the risks, traditional insurers that lack the expertise to fully assess a potential insured’s risk management and loss protection measures for network security and data security management have not been eager to underwrite cyber exposures.

continued on next page>>
1|2|3|4|5|6|7|8