The Voice of Business, Industry & the Professions Since 1942
North Carolina's largest business group proudly serves as the state chamber of commerce







Related Story:
Maybe You Need 
to Talk to an E-Lawyer


Cyber 
Crimes

You're insured 
against virtually everything, so why 
is your virtual business left exposed?


By Lawrence Bivens

The news is becoming all too familiar. Yet another malicious computer virus makes the rounds of the online world, infecting 100,000 computers in a matter of hours. Once installed, the virus — this time known as “the Goner” — seeks out and destroys a number of programs, including Internet security systems.

Like the plot of a campy horror film, the virus drills down into its victim’s e-mail program, replicating itself exponentially onto the hard drives of unsuspecting computer users under the guise of a harmless note from a friend or colleague.

It is but one example of the dark side of the Information Age — and it can cost a company dearly. Such viruses can completely disable computers, leaving a company dead in the water. Besides the business lost during the down time, there’s the expense of getting the computers repaired.

New economy or old, the Internet has opened up a world of opportunities and risks for business. More than 50 million Americans logged onto the World Wide Web to shop during Thanksgiving week, according to Jupiter Media Metrix, which tracks Internet usage. That’s a 43 percent leap over the same period in 2000. Though much of this activity takes place at well-known, high profile sites such as e-Bay and Amazon, it also includes traffic at long-established local and regional firms that are just getting their feet wet in the “bricks-and-clicks” world.

“What business people have to remember first of all is that e-commerce is global in nature — it’s anytime, anywhere and in any amount,” says Walker Taylor IV, a principal at the Walker Taylor Agency in Wilmington. That fact, Taylor and others say, opens up business to new risks they may not have considered.

Experience illustrates the need for vigilance and the wisdom of being prepared for attack. The 2001 Computer Crime and Security Survey, which questioned some 538 computer security professionals from business and government, found that:

85 percent of respondents had detected computer security breaches during the previous year;

64 percent acknowledged financial losses due to computer breaches;

35 percent were able to quantify those losses, a figure that totaled nearly $378 million;

u The most serious financial losses occurred through the theft of proprietary information (more than $151 million) and financial fraud (nearly $93 million).

Responding to these new challenges, the insurance industry has begun designing policies that address both “first-party” and “third-party” risks related to e-commerce activities.

First-party policies cover such things as lost revenue and extra expenses that occur as a result of system crashes. Such policies also address losses of computer data, software and programs, be they caused by an employee or someone outside the organization. Increasingly important is coverage for “denial of service attacks,” when cyber criminals and mischief-makers bombard a web site with so many hits that service to customers is blocked.

Third-party policies cover losses stemming from the spread of a computer virus and claims made for injury or damage because of a wrongful act, error or omission in regard to professional services. They address the infringement of some form of intellectual property rights — trademarks and copyright violations, for example. Claims arising from the invasion or infringement of privacy rights may also be covered, as are losses that result from defamatory or libelous conduct.

E-commerce liability insurance, broadly defined, typically includes three levels of coverage. First, there is the liability associated with technology-based errors and omissions. It covers claims arising out of a performance failure or negligence of a business’s product or service. Second, there is protection against claims for media or intellectual property offenses, which might include alleged or actual instances of defamation, libel, slander, privacy violation, plagiarism and trademark or copyright infringement. Finally, coverage may be obtained for losses resulting from a breach of computer security. Such incidents can include data theft, online service interruptions, hacking or other events that can originate either externally or from someone inside.

 “The public nature of web sites and e-mail means there is always going to be exposure on intellectual property issues,” says Taylor, whose brokerage firm, the state’s oldest, handles insurance and risk management needs for large companies in the computer and biotechnology industries.

Some insurers only sell third-party liability policies. Others market just those insuring first-party risks. Some have policies addressing both types. Still others contend that many businesses can cover their exposure by amending existing commercial insurance policies.

Insurance experts advise business people to consider the following questions when evaluating their need for e-commerce insurance coverage:


We just have a small web site. What kind of risks could it expose us to?
Granted, most businesses are not e-Bay and Amazon. But e-commerce exposures can exist even for firms merely using the web for promotional purposes. Even a basic one-page site may be viewed by millions across the globe. “When you have a web site, you also open yourself up to trademark and copyright violation, as well as libel and slander issues,” Taylor says.

An online presence also can result in liability claims arising from the content posted on the site. In particular, sites that provide advice face potential claims of negligence when erroneous information on the site causes injury to one who relies on it. Examples include Internet sites that offer health or financial advice.


Doesn’t our existing business insurance cover us for that?
Most commercial property insurance includes a requirement that only physical loss or damage can trigger coverage for both property damage and “time-element” (e.g., business interruption and extra expense). But most e-commerce risks involve “non-physical events,” incidents where it is unlikely that loss or damage to tangible property has even occurred.

Consider the issue of employee theft. Most businesses have coverage for this age-old problem under existing commercial crime policies and fidelity bonds. But it’s likely that such policies exclude indirect losses and potential income that may be suffered when an employee purloins sensitive customer data, for example.

E-commerce also presents a challenge when it comes to determining the period of indemnity in which losses occur. “Traditional (first-party) policies typically have a defined period of indemnity,” Taylor says, “three months, six months, 12 months, for example. The problem in e-commerce is that the period may not be long enough. It may be better for some firms to have no limit on the indemnity period.”


Does coverage extend to claims made outside the U.S.?
Because the Internet knows no geographical barriers, businesses engaged in e-commerce on any level must consider that they are engaged in international business. “A ‘technology errors and omissions’ policy should cover losses to a business trading in intangible property,” Taylor says. “(That includes) information, software, credit card numbers, sensitive data — things that are the lifeblood of many businesses today. But an important question risk managers should ask is, ‘Is that coverage global?’ ”


Can I have e-commerce risks added to my existing business policies?
Most larger firms are opting to cover e-commerce risks by amending their existing insurance program. A drive to simplify their risk management programs has created a reluctance to take on new, freestanding insurance policies. But that shouldn’t translate into ignoring the issue, experts point out.

“We recommend companies look at their entire insurance program and determine what their needs are,” Taylor says. In most cases, that involves working closely with an experienced broker who is willing to be proactive in understanding the nature of the client’s business.

“In some cases, companies may want to simply amend existing coverage with global extensions for the time being. Then, later, they may want to consider a stand-alone e-commerce policy. It really depends on the business,” Taylor adds.

When officials at East Carolina Bank (ECB) developed an online banking portal, they considered all aspects of the risks they would be taking on. Launched in October 2000, the portal allows commercial and individual account holders to make payments, transfer funds and conduct other transactions anytime and from any location.

“More and more of our customers were asking for such a service,” explains Art Keeney, president of Engelhard-based ECB, “and for over 80 years a major part of ECB’s mission has been to help people manage their money and lives more conveniently.”

Thus the case for placing many of the bank’s services online, a bold move for a community bank. How has ECB managed the added risk of something going wrong?

“In the case of a banking institution, there is a broad span of regulatory compliance we were already required to meet,” says Keeney, whose bank has 17 branches across nine eastern North Carolina counties. Keeney and his management team worked closely with their insurance brokerage in analyzing the exposure that the new system would bring, and decided against a freestanding e-commerce product. “That’s not to say we won’t consider it later. We review all our coverage needs regularly.”


Could I be liable for something done by one of our computer contractors or venders?
You’ve been conscientious in reviewing your e-commerce related insurance needs, but what about those you’re doing business with? “Business people should also make sure that their contracts with business partners are backed up by the appropriate coverage,” Taylor advises. Again, in ECB’s case, state and federal banking regulations already mandated documented review of coverage by venders and providers. But most businesses don’t face such built-in safeguards, and experts suggest exploring whether contractors and other related businesses have covered their risks.


How standard are the new e-commerce insurance policies?
The insurance industry is designing and re-designing its e-commerce liability products based on the changing needs of clients and customers. Some insurers are designing policies that attempt to meet the needs of all sizes of business — from small startups to the largest Fortune 1000 firms. Others are tailoring products to fit unique needs. Certain policies offer cafeteria-like menus to pick and choose coverage options, while others are more rigid in their design.

Determining which product is right for any given business may not be obvious, and Taylor and others reiterate the need for a qualified broker. “Any insurance broker involved in this area needs to have experience as well as an understanding both of the policies and the industries,” he stresses. “They should also know the insurers and their products — what the policies cover and what they don’t cover.”


If we buy an e-commerce policy, how often should it be reviewed?
In such a dynamic world — with technologies, business needs and regulations changing rapidly — it is wise for businesses to revisit their e-commerce risk management programs on a regular basis. Taylor suggests that contact between broker and insured take place more or less on a continuous basis. He cites the above reasons and one more: “An ongoing review of coverage is also important because insurance products are changing, too.”


Who should be involved in making decisions about coverage?
Most experts recommend a team-oriented approach in order to effectively determine and review coverage needs. “A business needs a qualified advisory team that includes an experienced insurance professional,” Taylor says. In the case of ECB’s risk management strategy for its online services, that team includes Keeney himself, the bank’s chief compliance officer, corporate secretary, information security director and other internal officials, as well as functional experts from outside. “In some respects, we review our risk management needs on a daily basis,” Keeney says.

Just where e-commerce, its related liability issues and this new breed of insurance products are heading, none can be sure. If, for example, the Internet truly becomes imbedded into every aspect of our economy and society, shouldn’t e-commerce risk management ultimately fold itself into traditional insurance products? Or will the insurance industry continue to hone freestanding products as the market for e-commerce coverage continue to develop? Only time will tell.

 “Technology has made business instant and global,” Taylor concludes, “and the insurance industry has also had to change in order to satisfy new demands. In that way, it’s an exciting time to be involved in this field.”

Return to magazine index
 

 

Visit us at 225 Hillsborough Street, Suite 460, Raleigh, N.C.
Write to us at P.O. Box 2508, Raleigh, N.C. 27602
Call us at 919.836.1400 or fax us at 919.836.1425
e-mail: info@nccbi.org

Co_pyright © 1998-2001, All Rights Reserved