Thursday, April 15, 2004

Cyber Risk Insurance Today

By Thomas Glaessner, Tom Kellermsnn and Valerie McNevin
The World Bank

Electronic Safety and Soundness: Securing Finance in a New Age

Today in spite of formidable reportage problems inherent in establishing a benchmark to
actuarially measure the risk of hack attacks, electronic identity theft, and other forms of related erisk, insurance companies are writing coverage for such risk. The development of e-risk policies first occurred in the mid-1990s. Insurers developed stand-alone e-risk policies rather than adding coverage to existing property and liability insurance. Market participants have also used employee liability coverage as a model for pricing and issuing this insurance.

In underwriting this risk, insurers combined information security standards, such as the BS7799, with principles of risk management that included analysis, avoidance, control, and risk transfer. Today, insurers recognize the ISO 17799 information security standard, which addresses these issues in the following 10 major sections:

1. Business continuity planning
2. System access control

3. System development and maintenance
4. Physical and environmental security
5. Statutory, regulatory, or contractual obligation compliance
6. Personnel security
7. Security management for third-party access or outsourcing to a third-party service
provider
8. Computer and network management to safeguard information assets
9. Asset classification and control
10. Security policy management support

As part of the e-risk application process, several major insurers, including AIG, Zurich, Chubb, St. Paul, Progressive, and Lloyd’s, have incorporated the ISO 17799 standards into a baseline security questionnaire that becomes part of the insurance application in e-risk policies they underwrite. In order to bind coverage, the insured must meet a certain security threshold for insurability, and the precise nature of such thresholds has not been completely standardized within and across countries. In part, this reflects the very dynamic impact of technology in this area. Despite these developments, the use of e-risk policies is still nascent.

In the case of first-party coverage, such policies are being explicitly designed to provide
coverage against network extortion, computer theft, damage to digital assets and information as intellectual property, and business or dependent business losses. In the case of third-partycoverage, such policies are designed to cover network security or loss event liability andelectronic publishing and multimedia liability.

In underwriting these special e-risk policies, insurers are increasingly assessing the extent to which specific providers of financial or other services are in compliance with appropriate standards in each of the 10 areas specified under ISO 17799.