Your company sells common chemicals that nevertheless could be used by terrorists to fashion bombs or poison. You're careful about whom you sell to, but a seemingly legitimate entity goes on your Web site and orders these materials.
The good news: The FBI infiltrates the group and prevents an attack. The bad news: The materials are traced back to your company.
Is your company liable? Maybe. It may have inadvertently violated federal law.
Here's a more likely scenario: A hacker gets into your system and steals thousands of your customers' credit-card numbers and maybe even their Social Security numbers--"gold" to identity thieves. Now you have to immediately notify all customers their identities may have been stolen. You may have to have credit-bureau monitoring for them too. Both are expensive, but to top it off, you're getting sued left and right. Soon "60 Minutes" is knocking on your door.
Several major U.S. companies have been hit with mass identity thefts and have had to spend millions to make their customers whole--so much money, in fact, that their earnings and share prices dropped. Customers might sue, claiming your organization's carelessness caused not only monetary losses but also emotional pain and suffering. There could be a class-action suit, with thousands of customers demanding to be made whole and more.
Just when you think you've heard everything, a new cyberrisk crops up. The creativity of hackers, pranksters, cyberpirates, thieves, terrorists and cranks is unlimited.
Consider e-vandalism, which occurs when someone hacks into and defaces your Web site. An e-vandal could put up insulting messages about prominent political leaders or even an ex-boyfriend or ex-girlfriend. Your organization could be named in a libel suit, with the victim claiming that the organization failed to provide appropriate security to prevent a break-in. Or maybe a porn video pops up.
Incoming e-mails could be hijacked and sent to a prankster or criminal. Imagine what a good plaintiff's lawyer could do with that.
Think of the havoc that would result if a cybervandal or terrorist hacked into your site and posted something this: "We have planted a bomb in the headquarters of the corporation. This is fair warning. It will explode in 30 minutes and level the entire block." Businesses would have to be evacuated and hundreds of police would be swarming over the area for hours.
Afterward, when the episode is revealed as a hoax, the city would probably come after your company to get reimbursed for the overtime it had to pay the cops, firefighters and emergency workers. And you might need to hire a public-relations firm to work with the media and help restore your reputation.
Corporate blogs open up another legal can of worms. More companies let readers respond to their corporate blogs, and a hothead could post something threatening or libelous that might get by the censor. Absolutely no hacking skill is required. Or the culprit could be an indiscreet corporate blogger himself or herself.
The problem could originate in your own information-technology department. Someone can press the wrong button and inadvertently put confidential information on your Web site.
Disgruntled or greedy employees can wreak havoc--like the employees at a New Jersey bank who went into the system and stole customer records, which they sold to criminals for $10 apiece.
A laptop with sensitive information such as customer data or confidential personnel records about troubled employees could be left unattended and stolen. Turn your head at a Starbucks for a minute, and the laptop could be gone.
Skilled mischief-makers can sometimes evade firewalls and destroy or corrupt vast amounts of data by using a virus, worm or spyware. Restoring the data can cost a fortune. Standard insurance policies cover computer systems for fire, flood, earthquake and windstorms, but not data corruption. And the data might be worth many times more than the hardware.
For many companies, the Web is a business mainstay. A denial-of-service attack by a malicious spammer who floods your system with thousands of messages could bring down your site for hours or days, and could conceivably result in millions in lost orders and income. Your organization may need to spend more on overtime and temps to answer phones while the site is down. If your e-mail system goes down, that's an expensive problem too.
In cyberblackmail, a blackmailer hacke into your system and holds your data hostage. If you ever want to see your data alive again, you have to pay a bribe. It's not theoretical; several companies have already been held up and had to pay off the crooks.
Copyright or trademark infringement is another cyberrisk. Your site may inadvertently mimic another company's site and trademarks. Or an overeager marketing person may plagiarize someone else's copyrighted wording. If that causes confusion and the other company loses visitors and business, you could get hit with an infringement suit.
LOSS CONTROL IS VITAL
Better cybersecurity requires constant effort. Most organizations have a chief information officer who's aware of the danger. Nevertheless, it may be worthwhile to hire a consultant to review your systems to make sure that your computer network is well protected. "Network access control" is the latest buzzword.
Set reasonable policies about data security. Tell staff to not store confidential information on their laptops. Wherever appropriate, require passwords to access your systems. Take every reasonable step to ensure that confidential information in your computer systems remains confidential.
Make sure that your computer network isn't broadcasting information wirelessly. Some cyberthieves have simply set up an antenna and a laptop near a corporate headquarters and grabbed customer records from the airwaves.
Vet any employees, contractors, vendors and volunteers who have access to sensitive information. An inexpensive criminal background check now can save much grief later.
Executives who say they can't afford Internet-related insurance may not realize that Internet exposure is no longer covered in their basic liability policies, which now exclude it. If your company doesn't have Internet-related insurance, suffers a big loss and the stock price plummets, shareholders could conceivably sue the directors and officers for failing to uphold their fiduciary responsibilities. Your standard D&O policy may exclude coverage in this situation.
Properly covering Internet-related liabilities requires buying a separate cyberpolicy that covers the risks mentioned above. It should cover unauthorized use and theft of your data; damage caused by computer viruses; cyberattacks that shut down e-commerce activities; electronic theft of money, data, software or computer resources; libel, slander and copyright infringement; and disclosure of private information.
Some policies provide contingent coverage: If a key vendor serving your e-commerce site goes down and thus shuts down or impairs your e-business operations, you'll be covered for loss of income. Coverage for the cost of hiring a public-relations firm to run a media campaign is also valuable. Many policies also cover e-blackmail and will pay the ransom you could have to pay to get your data or system back alive.
Several major insurance companies offer good cyberrisk policies. Underwriting is exhaustive. When you apply for Internet-related insurance, you will have to document the steps your organization is taking to protect its systems from hackers, worms, viruses, data contamination, Web outages and other threats. The better the protection, the better the deal the insurer will offer.
Even the world's most competent and diligent IT professionals can't guarantee 100 percent protection against determined hackers and just plain bad luck. Cyberinsurance is a necessity.
MARJORIE YOUNG is vice president of E.G. Bowman Company Inc., a commercial-lines insurance brokerage and loss-control firm in New York City.
READ MORE: Features | Special Reports | Industry Risk Reports | Columnists | In-Depth Series
September 1, 2007
Copyright 2007© LRP Publications