Information wants to be free, author Stewart Brand once said, in a remark that still holds both promise and peril for the companies that provide the software that runs modern business.
Software makes modern business work by helping to move vast amounts of information around the world at lightning speed. But technology also makes it easier to share or steal information and to copy proprietary software, a fact that has made intellectual property one of the top concerns for risk managers at enterprise software companies.
"The biggest challenges for software companies are typically your professional liability, your intellectual property, your directors and officers liability and your business interruption exposure," says George Haitsch, vice president of corporate risk for SAP America, the largest enterprise software company.
"Depending on who the software company is, you may also have some significant risk related to your brand and your market presence. That's how I rank my risks and I think that would be fairly representative of our peer group as well," Haitsch says.
But disputes over intellectual property have become a high-profile challenge for risk managers seeking to protect the value of their companies' software and to fend off patent and copyright challenges from companies seeking to make up in the courtroom what they have lost in the marketplace.
"What we're hearing is there is a lot of concern about patent infringement and that's an area where you really can't at this point buy any viable liability cover. The products that are available are so few and so highly priced. Really they're just not affordable, and it's just an exchange of dollars with insurance companies," says Mari-Jo Hill, director of risk management at North Carolina-based business analytics software company SAS.
A trend by companies to seek so-called business method patents that cover a process, such as buying goods online, has heightened uncertainty and the risk in intellectual property disputes.
"Patent is becoming a bigger and bigger issue, especially for software companies," says Keith Kupferschmid, vice president of intellectual property for the Washington, D.C.-based Software & Information Industry Association.
"Recently there has been a lot of what people in the industry would call frivolous lawsuits. Companies going out there and getting patents on particular technologies or technological solution, and then going ahead and suing entire industries," Kupferschmid says.
Among the big legal battles is the claim being pressed by software company SCO Group Inc. that it holds the rights to some of the code used in the popular Linux operating system, the so-called open source software that has been available to users without royalties.
In 2003, SCO sued IBM Corp. in a dispute over the Linux code and then launched a broadside at 1,500 large corporations seeking royalty payments for the use of Linux software.
IBM has fought back aggressively and offered to indemnify customers against claims by SCO. Other companies such as Hewlett-Packard Co., also have said they will protect their customers against the Linux claims.
In another case, Sun Microsystems recently agreed to pay $92 million to Eastman Kodak Co. to settle a dispute over whether Sun's ubiquitous Java programming language infringed Kodak patents. Saying it would "take bullets" for its customers, Sun--which built up a cash cushion of more than $7 billion in the Internet boom years--said it would protect its customers against intellectual property claims that might arise over Java.
In fact, just the threat of costly legal battles can induce companies to settle cases they might have won by proving that similar techniques, knowledge or business methods existed beforehand in what is known as "prior art."
"In many cases these patents are eventually invalidated," Kupferschmid says. "It still costs the companies regardless even though they're not paying some sort of damage amount at the end of the day, they are paying a significant amount of expenses in hiring patent attorneys and searching the globe for this prior art." In some cases, the legal battles are just another competitive strategy.
"Particularly with software, the competition is so fierce that intellectual property litigation is very prolific--almost as a competitive tactic where companies will sue each other and get injunctions to create competitive advantage for their own product or to say there's a violation of my copyright on this particular software and as part of the settlement I get royalties on your software," says Brenda Shelly, executive vice president leading the technology industry group at broker Willlis Executive Risk.
Another issue for software companies is the risk that a programmer may inadvertently insert another company's code into a product. That type of issue, which was not as big a concern in the past, nowadays can open a legal can of worms.
"As we've seen in the D&O marketplace, specialized law firms just jump on those opportunities to create income for themselves and nice damage awards on behalf of their clients. The defense costs alone are so prohibitive that it creates a whole new level of potential loss that is uninsurable at this point," says Hill, whose company is the largest privately owned software firm with 2003 revenues of more than $1.3 billion.
THE PAPER TRAIL
With intellectual property coverage so expensive, companies may seek to manage that risk through aggressive legal strategies.
"When you look at the upfront cost for the insurance policy and when you look at what it might be covering in that arena, many companies and their general counsel opt not to go down that road," Shelly says. "They see it as an issue that's best managed at the general counsel's level."
That defensive strategy, however, requires a lot of work to document the development of software at every step from the inception of an idea through to the sale of the finished product.
"We document everything to the extent we can to show where we have taken measures to minimize or reduce our risks," Hill says.
For its part, SAP has become much more focused on obtaining patents.
"SAP has amended its strategy in terms of intellectual property over the past five years or so to become much more aggressive in terms of creating the international patents necessary to protect our rights and to have a portfolio of intellectual property at our disposal," Haitsch says.
"That really acts as a defensive tool against allegations by third parties that we're infringing. If in fact we can prove that we created the concepts internally and have patented or applied for patents in that regard, it's a significant defensive posture for us to take," Haitsch says.
The limited opportunities to transfer intellectual property risks means that risk managers have to be more creative in assessing and financing the exposure, or deciding to retain the risk as a cost of doing business.
"From a risk management perspective technology companies are still confronted with the reality that there is a very, very limited market in terms of risk transfer opportunity," Haitsch says. "For intellectual property, the main players in that market are very cautious when it comes to software and technology companies."
While software is usually designed to help customers profit from the freer flow of information, software companies need to make sure that they protect sensitive data and harden software and systems against outside attacks.
Such attacks include attempts by hackers to break into a system to steal data, or even to launch a virus that bombards a given site with so many messages that it is forced to shut down in what is known as a "denial of service attack."
A software company that remotely hosts critical applications for its customers could find itself facing legal claims if those applications become unavailable due to a denial of service attack and make it impossible for the customer to run its business.
"The issues associated with Internet liability have to do with posting and privacy and denial of service," Shelly says. "For software companies, there's a potential problem in terms of the company in and of itself, and of course there's the third-party issue with respect to its customers."
The legal liabilities also become more complex as a company goes global and faces competing regulations in different countries. For instance, the question of e-mail management is complicated by strict privacy standards in the European Union and the extensive discovery permitted under U.S. law.
"To tie that together is a significant challenge," says Haitsch, noting that SAP operates in more than 80 countries, "because we need to assess our risk and protect the company from potential pitfalls in terms of both professional liability and directors and officers liability."
THE MARKET LEVELS OUT
While intellectual property disputes and hackers grab headlines, a main exposure for enterprise software companies revolves around their core business of providing software and services to customers. The market for professional or product liability insurance, which began to harden significantly five years ago as capacity diminished, has leveled out as new specialty carriers have come into the market.
"At the farthest end of that back five years and before, software E&O was very cheap. It was done as part of the casualty program and not that expensive at all," Willis' Shelly says. "Then about four or five years ago as markets started to drop out, it tightened up and now some of the specialists markets have come in and generated good competition."
While the market has evened out, software companies say they are still seeing a limited amount of players and capacity.
"Insurance has figured prominently in the response that we have generally had to our products liability exposure. For a software company errors and omission is the line of choice in order to deal with that. It's a relatively high ticket and scarce commodity. There are very few markets for it that really have targeted that industry because it is so new in terms of technology--not having been around that long, to create the kind of exposures that underwriters feel comfortable with," Hill says.
In some areas, software companies have begun to look more to alternative risk management techniques. Microsoft Corp., the world's largest software company and one with tens of billions of dollars in extra cash, has established captives for catastrophic and other risks with a face value of $2 billion at midyear 2004. SAS and SAP say they also are looking at alternatives.
"A lot of things might be under consideration in terms of some other more creative financing arrangements," Hill says. "We're in a position to probably assume more of the risk ourselves and really look at this as more of a catastrophe cover in the sense that we might have multiple customers that have the same problem that end up costing us something because of a single occurrence as opposed to an isolated claim here or there," she says. SAP has been evaluating alternative risk financing for about two years and has taken some preliminary steps but hasn't finalized anything yet, Haitsch says.
Among the issues that risk managers face in dealing with insurers is the relatively young age of the software industry.
"Insurance is very much based on historical costs to give a prediction of what future claims might look like," Hill says. "Since there hasn't been much history in this industry we've been handicapped by the opportunity to leverage those historical costs to make a better case for more attractive premiums."
To manage costs effectively, risk managers need to market their companies to the underwriter community and build long term relationships, Haitsch says.
"The savvier risk managers are really taking an aggressive approach to this, recognizing that they're the face of their company in terms of the underwriting community," SAP's Haitsch says.
a former journalist and editor with Reuters, writes frequently on technology issues for Risk & Insurance®.
February 1, 2005
Copyright 2005© LRP Publications