Newsletter Sign-up

It all sounds like the plot for some kind of action-adventure science-fiction movie blockbuster.

It's 2010. Yes, only three years from now. The growth of computer networks has expanded so rapidly that the differences between reality and virtual reality seem to fade.

What happens next makes for the movie. Organized cyberthieves intercept the information, along with the extremely valuable identification information. Within minutes, the information is offered up for sale, in a private, international auction site in Eastern Europe where competing groups of cyberthieves-- the 21st century version of the mob--from around the world buy and sell stolen identity information to the highest bidders. Actual cyberauctions go on today in private, password protected chat rooms.

And what do they do with the information? The thieves might use it to arrange an attack on your business transaction system just before the height of the Christmas shopping season as part of an extortion scheme that threatens your business' very lifeblood at the most vulnerable time of the year. Michael Lamprecht, national practice manager for cyberrisk at Arthur J. Gallagher & Co., says online brokers and online gaming operations get hit by attacks every day.

Or maybe it's just a simple effort to raid your 401(k) or run up your Visa card's line of credit. Or maybe it's just simple theft. Florida police reportedly charged six people with using stolen information from T.J. Maxx customer computer files. The thieves allegedly spent more than $1 million in merchandise at Sam's Club stores using gift cards bought at Wal-Mart obtained using T.J. Maxx customer data. Police believe the suspects in the Florida case bought the customer information from someone else, rather than the T.J. Maxx hackers themselves, maybe in one of those online identity auctions.

More and more, we live in a "pervasive computing" environment with an increasing number of networks, further complicating the risks, according to Steve Knutson, vice president and director of emerging issues for Zurich in North America.

One of the most overlooked risks in this developing environment is the spread of what's called radio frequency identification, or RFID, technology, Knutson points out. Currently, the use of that technology, by and large, is mostly confined to relatively simple processes, like inventory tags, but it is poised to expand. These developing computer sensors, already one-half the size of a grain of sand, can send and receive data and react independently. Humans might not be involved in the process as the technology improves to the point where it can react on its own to what is happening around the device.

Right now, for example, there are devices that can sense whether the temperature is too hot in a refrigeration unit and automatically adjust it to make the environment cooler.

Combine the changes in the computing environment with a huge increase in the risk of losing confidential, private information potentially transmitted by these devices, and you have a risk that's often overlooked, or just not even imagined.

Lamprecht points out that most businesses "overlook privacy as an exposure because most companies are not in the business of collecting information." That's not at the core of what business does; it's a side effect. And in the past, he adds, risk management and information technology haven't seen eye-to-eye on the problem.

"It used to be that IT would insist that the company was bullet-proof--that nobody could breach their system," he says. And then, if risk management suggested some insurance as protection, IT would argue that the funds for the premiums would be better spent if they were invested in new firewall systems. "The problem remains that IT doesn't understand risk management, and that makes the problems worse," Lamprecht adds.

THE T.J. MAXX ATTACK

Take what just happened to T.J. Maxx, the discount retailer. Thieves, probably hackers, stole information from 45.7 million credit and debit cards, as revealed in February. TJX Corp., the owner of T.J. Maxx and Marshalls, reported in SEC filings that its computer systems were breached in 2005, 2006 and 2007, when thieves accessed customer credit-card information dating as far back as January 2003, such as account numbers and drivers' license numbers.

The loss to TJX Corp. is significant, although the final total has yet to be tallied. When the hacking was discovered, the company immediately hired 50 computer experts to fix the systems, along with additional investigators. In the fourth quarter alone, the losses related to the investigation of the "intrusion" and additional upgrades to the computer system cost them $5 million. These losses don't include potential losses from possible lawsuits and fines. Nor do they include all the costs involved in notifying customers about the problems. One computer security company, Protegrity, has looked at the T.J. Maxx data breach and estimated that the total costs could reach more than $1 billion, although others dispute that figure.

Craig Lapsley, vice president of Travelers Global Technology, says that at many companies internal controls against computer attackers are improving, but there remains a lack of awareness of the problem. "A lot of people don't have cover. Although they might see it as a big exposure, they don't necessarily understand the exposure."

And Lapsley here isn't even talking about the impact of a computer virus on a company's system.

Lamprecht says, "It's really easy to take a business offline," adding that attacks are common. He estimates that today annual losses from computer viruses exceed total annual losses from fires.

And the problem will only continue to get worse. With "pervasive computing" and the proliferation of computer networks, Zurich's Knutson says in these circumstances "you can see the severity and intensity of privacy breaches and security breaks multiplied." The tasks handled by the coming computer systems and devices, like RFID technology, will be "multiple, and they will be analyzed and relayed through other networks, making this much more complex than just simple computing." He adds that in 20 years, there could be more than a trillion of these independent devices at work.

And with more data and more networks, and all kind of computer servers working without any human intervention, there will be much more strain on existing systems and networks.

In most cases, a company needs a separate cyber tech policy because the risk is excluded from a more traditional general liability policy, Lapsley says.

"And business continuity becomes an even more important risk," Knutson adds.

JACK ROBERTS is editor in chief of Risk & Insurance®.

May 1, 2007

Copyright 2007© LRP Publications