Cyber Slumber: A Wakeup Call for Commercial Insurance and the Companies That Buy It

Cyber Slumber: A Wakeup Call for Commercial Insurance and the Companies That Buy It | Risk & Insurance It's a bold statement, but one that needs to be said--traditional insurance polices were written for a world that no longer exists. In today's business environment, most organizations are based on a data-driven, network-dependent model that has created the need for a new type of risk protection product.

By DREW BARTKIEWICZ, a technologist and author of the upcoming book Unseen Liability, and Vice President of Cyber and New Media Markets for The Hartford

Not since the 1980s have the insurance and reinsurance markets had to make such a shift in their assumptions, products and pricing for insuring big business risk. With technology playing an increasingly dominant role--and the market valuation of that role--in businesses of all sizes, buyers of risk products will also expect a more accurate assessment of cyberliability within their organizations.

A Surprising Reticence (10/15/11)
Perils and Promises of the Cloud Providers (10/15/11)
Managing Customer Data Breaches (08/01/11)
Back on Top: Policy Administration Systems (06/06/11)
Brokering (or Selling?) the Data (07/01/11)

Such a shift in thinking will give some insurers a chance to design products that cover today's new information-technology security and media threats. Mitigating the uncertainty is the best way for both businesses and insurance companies to prosper in this new world without being at its mercy when things go awry.

SHIFTING MODELS

In 2001, the financial markets witnessed a shift in equity markets as analysts were forced to adjust their valuation models for data intensive and network dependent companies. New metrics related to the health of IT infrastructures supported the theory that wealth creation for these firms would derive from their fast-growing information assets and not just traditional hard assets, such as capital, inventory or real estate.

The insurance industry--especially commercial insurance markets--will similarly be forced to make this transition in risk evaluation sooner rather than later.

Insurers have been slow to invest in a deeper understanding of the potentially massive information-technology risks, especially as American businesses aggregate unprecedented volumes of personal electronic data. If a business' mastery of technology has become an indicator of wealth creation for financial markets, then a company's lack of technology mastery has become an indicator of their risk profile for insurance markets.

Technology risk--especially for data privacy--is the storm brewing from Europe to the United States and even to Asia.

CYBER UNCERTAINTY IN OUR MIDST

Technology and cyberliabilities are real. Their growth is exponential. And they are no longer reserved solely for Web 2.0 startups and Silicon Valley giants. From state colleges to local banks and global retailers, technology liability has gone mass market. From carefully planned network security breaches to identity theft incidents, rarely a week passes without multiple reports of data losses.

Are stolen laptops a liability? Yes. Can a company be sued and financially impacted for being hacked? Yes. But these are just the tip of the iceberg for data-heavy, multinational organizations.

Given the enormous IT security spending during the last several years, it has become clear that most companies are beginning to understand the intrinsic value of their customer data--such as profiles, history and behavior--as a measurable and growing corporate asset. Protecting this data is no longer merely a cost of doing business, it is a strategic imperative. The difficulty for many firms is determining the measurements and means of quantifying this data as an asset since accounting practices in this area can be described as "emerging" at best. Another challenge is quantifying the business risk of customer data.

This, however, is where insurance markets can take the lead.By researching technology risk and developing insurance products that cover cyberliability, insurance markets can offer firms more substantial protection and coverage from this new area of liability.

UNPRECEDENTED DATA AGGREGATION

Data breach incidents were far less frequent a decade ago, and, when they did occur, the financial fallout to the organization was much less given that most companies still functioned in a mainly paper-based, people-intensive business model. Unfortunately, many insurance policies for traditional companies are still being written today without the clear recognition that computer systems, databases and networks are now critical to the success of the enterprise.

Electronic data is growing at alarming rates across all professional industries as a result of both business need and the tremendous drop in storage costs. In 1990, the average cost of one gigabyte of data storage was around $20,000. Today, it is less than $1.

More importantly, the data within those networks is not only increasingly regulated but also increasingly personally identifiable and confidential. The risk to this data will only increase as IDC reports that the average data volume in American companies is expected to double every year.

Traditional businesses--and those that insure them--need to face a new reality. Digital information within a company is not only its lifeblood for growth but also may be its greatest professional liability.

Virtually every company is a data warehouse, e-mail repository and Web destination, all protected by a range of firewalls, encryption tools and antivirus applications. Information thieves and data brokers are definitive reference points that suggest information has surged as a new resource, no longer protected by scarcity and location, but unleashed with abundance and access.

When considering where human error ends and technology error begins, the line has become blurred. In fact, the most current and explosive element of technology exposure is associated with information malpractice--the negligence of a firm to store and protect electronic, personally identifiable or confidential company data within secure and operational networks.

As of September 2008, more than 35 state IT security and privacy regulations and standards were in place, ranging from standards of care to compliance requirements to fines, fees and penalties. Most professional organizations do not realize that these regulations exist and therefore are not aware of the high costs associated with a technology incident.

WHAT'S OLD IS NEW AGAIN

In 2001, the Brookings Institute book Unseen Wealth explored the inadequacy of FASB accounting methods and equity financial models for valuing the growing "intangible assets" of emerging, technology-driven companies. Many of the book's predictions about the "truer" valuations of companies did make it into mainstream financial markets a few years later.

Today, companies traded on public markets are valued by not just their traditional hard assets but also their information assets, such as digital knowledge of customers or the breadth of IT ecosystems that can adapt to changing markets and new business models. There are few differences, if any, in pricing risk and pricing future value.

The insurance industry, through more targeted technology risk coverage and smarter risk selection, will have to adapt to this fundamental change as well. Alternatively, those firms that fail to protect themselves from information risk will feel the financial and reputational pains of this new unseen liability.

(The views expressed herein are those of the author and not necessarily those of The Hartford Financial Services Group, Inc., its subsidiaries or affiliates. This article is provided for information purposes only, and is not intended to substitute for individual legal counsel or advice.)

October 15, 2008

Newsletter Sign-up