By STEVE TUCKEY, who has written on insurance issues for a decade for several national media outlets
While data breaches involving both operational and privacy issues remain a top liability concern for software manufacturers today, the downwardly spiraling economy has certainly added new risks that may or may not be solved by insurance.
Kirstin Simonson, underwriting director for Travelers Global Technology, says she sees the overall turbulence in the economy as among the greatest challenges facing software manufacturers in terms of how it could add to liabilities while exacerbating traditional risks.
"Our biggest focus here is trying to make sure that they are not forgetting the basics of how they do business," she says.
One of the most serious risks facing such businesses is acquiring entities outside of their core competencies with technologies they are not used to working with, which in turn can lead to some dicey situations.
"And they really don't know how to handle it," she says. Oftentimes, these new acquisitions will bring in additional legal risks they did not anticipate or, more often than not, just don't drive the revenue that was originally planned.
In the last downturn around the turn of the century, Simonson says, technology companies often let go of the policies and practices used to manage their own risk.
"That is one of the last things I would recommend a company to do. If you have strong contract procedures in place, does it really make sense to remove all those provisions just to get a job?" she says.
Cash-strapped tech customers will often serve as the drivers.
"We've even seen in some cases they have pushed hard to say, 'Let's just skip that testing process, and let's go live,' " she says.
Underwriters often do not become aware of the change in procedure until a claim comes in that could have resulted from it. At renewal time, the insurer will pose questions on just how serious and widespread the breach of procedures was.
"It can have an impact on pricing, or on how much capacity we might be willing to put up. Or we may decide that if you are just willing to do what your customer wants regardless of the situation, that may not be the right risk for us," she says.
But coverage rates aren't their only concern. Thomas Fitzgerald, senior managing director for Aon Brokerage Group, sees a fair amount of worry these days around the issue of insurer solvency.
"Software companies in particular are truly relying on the contingent capital of the insurance marketplace to stand in when something does go wrong," he says.
The errors-and-omissions coverage that is at the heart of a software company's protection is essentially a long-tail risk, which makes the financial solvency of the underwriter a critical issue. Clients are starting to take advantage of policies with built-in layers that can provide for coverage if the primary carrier faces solvency issues.
Because software technology is an industry where the latest and greatest products are prized, companies need to lean heavily on that E&O risk. Kevin Kalinich, co-managing director for a unit of Aon Risk Services dealing with technology issues, sees new trends in software use and distribution as impacting liabilities.
For the past several years, something known as Software as a Service (SaaS) has in a sense taken the old application service providers model to new levels of flexibility of utility for customers who no longer have to integrate the software into their own systems as before but instead access it on the Internet.
Kalinich says defect breaches in which malicious software can bring a company's operations to a halt are waning thanks to SaaS and data breaches that result in private financial information falling into the wrong hands are intensifying.
"The SaaS part really just comes into play with privacy. When you have all that software yourself and implement it yourself, you are still retaining the data instead of outsourcing it," he says.
With SaaS much of the data is leaving the confines of the client company and resulting in bigger risks for privacy and security for the software company.
Evolving technology trends such as SaaS and "cloud computing," mean a lot more vendor management.
"The good software companies get ahead of the curve and get what is known as SAS (Statement on Auditing Services) 70 Audits, where they certify they have all these implementations in place," Kalinich says.
Kalinich contends that while SaaS trends may increase liability for privacy issues, it diminishes it for defect claims.
"When companies run their own enterprise resource planning systems, there are a lot of human mistakes that can be made. But when you outsource it, the risks in some ways can go down because then you have the experts that designed the software running your software, and you eliminate some of the human error element."
In the end, brokers working with software companies educate both the underwriters and clients of the available hoops to jump through such as SAS 70 tests, beta testing, soft rollouts and limited liability clauses.
"So even though it may be the same general platform, this company is a much better risk because they have initiated so much risk mitigation," Kalinich says.
Yet new technology or not, the main risks software companies face today remain pretty much what they have always been, according to Michael Dandini, who heads the Technology Practices Group for The Hartford.
"I call it, 'The product did not do what it is supposed to do,'" he says.
Hartford offers coverage limits of up $10 million on a primary basis and that includes legal defense and indemnity, as opposed to a commercial general liability policy that does not include defense. In addition, it also provides defense coverage of intellectual property allegations of code theft as a so-called "expanded peril."
"There are different things they cover in addition to the code such as plagiarism, misuse of a property right and content," he says.
Dandini sees an increase in litigation in these turbulent economic times as companies go to greater lengths to protect their products from purported theft and infringement.
The carrier recently added data privacy expense coverage to its technology liability policies to cover notification, crisis management, regulatory and credit monitoring expenses that may arise whenever a technology company suffers a data breach that results in the disclosure of nonpublic information.
Jim Cochran, president of Dallas-based Tech Insurance, serves about 13,000 small business software developers and sees their main concern today as providing for a client base that may not be sophisticated about maintaining their systems and thus may fall prey to security and defect breaches that in turn could get the developer sued.
"What we say to the developer is your biggest cost under those circumstances is legal defense costs," Cochran says.
With smaller developers, sometimes faulty contracts can result in unrealistic expectations that can in turn result in either lawsuits or unpaid bills. "They don't have good project management discipline and don't do a good job in getting clients to sign off on certain portions of the project," he says.
While such problems can occur in most situations where there is a contract, what is unique about software development, according to Cochran, is what he terms "scope creep." A software client and the developer can have a general idea about what the project should accomplish and how much it will cost, but often the client will have other ideas as the project moves along and no real understanding of the time and cost entailed once it takes on new elements.
As a result delayed and disputed bill payment can often end up in the courts.
Travelers' Simonson agrees that privacy breaches, along with general economic issues, are moving up the ladder of concerns.
"Privacy is definitely becoming much more critical. I think they are finally starting to get the message that they are not as immune as they may have thought they were," she says.
At a recent RSA security conference in San Francisco, she recalls hearing IT managers "scream in frustration" that they have taken as many precautionary steps as possible and that there is not much more they can do.
"There was some validity in what they are saying, but I think the message they got back to their management team is that IT security cannot stand alone, and it has got to be a part of the entire process," she says.
STIMULUS AND SECURITY
The stimulus bill recently signed into law by President Barack Obama presents solid opportunities for software manufacturers, particularly in the field of medical records.
"That is great if you have done your homework, but if you have not dotted all the I's and crossed all the T's, you can run into trouble," Simonson says.
But not all software manufacturers face the same privacy breach risk.
"It depends on what role the particular company is playing," she says. "Some companies may have software that has nothing to do with privacy. It may just be the platform that allows this communication to happen."
Nonetheless, changes to the Health Insurance Portability and Accountability Act have caught the attention of underwriters like Simonson. Previously, the law considered most technology companies business associates and thus did not face the same liability for a HIPAA violation that a health provider would.
"But the new HIPAA regulations as a result of the stimulus package have a lot more requirements for the business associates and a lot more penalties tied to them," she says.
And while companies wait to feel the effects of the stimulus, they will continue to face the complications of the economic downturn, such as the host of issues centered on what sort of impact a terminated worker can have on security.
"If you are laying off programmers, they can be among the most challenging 'problem children.'So you are laying off some key people who know how to use technology to their advantage," Simonson says.
To fend off any possible increase in internal crime, or programmers taking information as a result of their disgruntlement, Simonson says her company is looking to make sure measures aimed at combating this are beefed up.
"If they are going to be laying off employees, just the simple thing of making sure that system is shut down immediately is critical," she says.
Some instances of employees building in back-door access have surfaced, which are only exacerbated by poor password protection systems, she adds.
April 15, 2009
Copyright 2009© LRP Publications