Raising the profile of digital risks

© lloyds.com Limited 2002

Tuesday, 7th May 2002 - DK Matai, chairman and CEO of mi2g, a digital risk management and bespoke security architecture group, tells lloyds.com the appetite for digital risk insurance is not as strong as it should be - especially as such cover is usually excluded from traditional policies.

Creating awareness

Viruses, worms, denial of service attacks receive high profile media coverage and can cost companies millions of dollars in downtime. But DK Matai, chairman and CEO of mi2g, tells lloyds.com that many companies are not sufficiently aware of the nature of digital risks or what coverage is available for them.

Matai regularly lectures on electronic security and defence issues and is a specialist advisor to the International Underwriting Association's (IUA) Digital Risk Working Party, which was established in November 2001.

What does the IUA's Digital Risk Working Party hope to achieve?

The IUA's digital risk working party hopes to establish greater awareness of the precise nature of digital risks and liabilities within the insurance and reinsurance industry – both at the supplier and customer level – and their impact on existing risk transfer solutions, as well as new mechanisms.

Since January 2002, what kind of policies have excluded digital risks because of September 11?

Even before September 11 the issue of data exclusion and other digital liabilities was under consideration by insurers and reinsurers for exclusion. But the shrinking of the capital base of many players post-September 11 has galvanised action amounting to data exclusion in the property, business interruption and liability areas.

Are companies sufficiently aware of their digital exposures?

Businesses are largely unaware of the ramifications of data exclusion. They have not fully understood and quantified the cost of downtime, loss of business, damage to brand name, share price crash, loss of data to rivals and upstream and downstream liability. The Carlsbad-based Computer Economics Institute has estimated the worldwide economic impact of malicious code attacks reached $13.2bn in 2001. For example, post the recent exclusions, property insurance cover does not include the data on a CD-ROM burned in a fire.

The value of the intellectual property on the CD may be £1m ($1.4m), but property insurance excludes data and cover for the loss of the CD at £1 to £10. Insurance companies would argue that property cover never covered digital risks such as loss of intellectual property, but now they have made it an explicit exclusion.

If a business suffers an interruption as a direct result of erroneous feeds of data or omission of certain data, the business interruption cover may not apply post the data coverage exclusions.

In this case, insurance companies would argue that business interruption cover never covered digital risk such as errors and omissions, but now they have made it an explicit exclusion.

What do you feel is the right balance between companies adopting risk management measures and buying insurance?

Preventive digital risk management encompasses buying the appropriate insurance cover as one of the measures from mi2g's perspective. Digital risk management covers four key areas: Technology, people, law and insurance. Within technological areas one would look at the configuration of computer equipment, disaster prevention and recovery, its compliance with the ISO17799/BS7799 standard as a benchmark, as well as intrusion detection and the speed of response in dealing with anomalous digital behaviour patterns.

On the people side - which is the critical area as 70% of digital attacks are due to people-related exposures - it comes down to the correct policies, training and vetting that help to control the most unpredictable element of digital risk without stifling creativity.

With respect to law, the issue is jurisdiction. This includes dealing with breaches of the Data Protection Act, litigation and defence within the international environment.

Regarding insurance, it is a case of procuring the usual business interruption, workers' compensation, property and liability cover suites along with appropriate specialist digital risk covers that fill the gaps created by exclusions.

Premiums have soared post-September 11, and we are finding the appetite to buy digital risk cover is not as strong as it should be. Businesses are cutting back even on their existing policies within this hard priced environment.

Will cyber insurance ever become ubiquitous?

Yes. Either when the government legislates and makes it mandatory, or when there is a high profile digital disaster which makes captains of industry at CEO or CFO level sit up and take note of digital risks and effective ways to manage or mitigate them. According to the 2002 FBI/CSI computer crime survey, commercial and governmental organisations are reluctant to admit breaches – even to the police. This culture is understandable. But it will need to change to arrive at a juncture where buying digital risk cover will be considered acceptable.

Hackers are often part of the companies and organisations they attack. Should fidelity risks be managed alongside digital exposures?

Yes. The biggest digital threat to organisations is from within, unless that organisation is specifically targeted during a war by an online enemy attacker or enemy-sympathetic attackers.

You have spoken of 'asymmetric warfare'. What is an 'asymmetric' digital attack and how are the risks of one evaluated?

An asymmetric digital attack may be from very few individuals, but impacts thousands - say 40% of the 40,000-strong workforce of a multinational. Most digital attacks are asymmetric. The typical impacts of a digital attack may be:

  • Piracy: The loss of sensitive information or intellectual property.
  • Surrogacy: The usurping of the electronic identity of an organisation or individual and abusing their brand or good name.
  • Denial of service: Business interruption.
  • Hazards: Malfunctioning fire alarm, elevators, security cameras, air conditioning systems.

How can such attacks be mitigated?

Digital attacks can be mitigated only through a concerted and holistic effort to remove vulnerabilities on multiple fronts. On the technical side, mitigation may be achieved through bespoke security architecture comprising firewalls, intrusion detection and anti-virus toolkits. With respect to human resources, it may be achieved through the correct personnel policy and training that prevent social engineering, plus up-to-date employment contracts and vetting procedures.

On the legal side, mitigation may be achieved through the appropriate adherence to the UK Data Protection Act and service level management umbrellas that encapsulate the appropriate security measures within service level agreements.

There is no such thing as 100% security, which is where insurance comes in. In such circumstances, the appropriate insurance cover that deals with business interruption, liability, property and workers’ compensation specifically relating to data risks would be appropriate.

Has the correlation between political conflict and digital atttacks become more evident since the NATO air strikes on Serbia in 1999?

We have found over the last four years that most international digital attacks not internally motivated by disaffected employees are driven by ideological concerns. Those concerns may range from such groups as anti-capitalist protestors, environmentalists, animal rights demonstrators, and anti-biotechnology and genetics modification protestors to political activists who oppose a particular government or ideology. The other primary reason is intellectual challenge.

The China-Taiwan cyber war of July-August 1999, the America-China cyber war of April 2001 and the anti-NATO countries cyber attacks in September and October 2001 are good examples of political conflicts that led to digital attacks.

The one to watch in 2002 is the Israel-Arab conflict and how digital attacks square up in the months ahead as a direct result of political tension.


To comment on this or other articles please contact lloyd's.com at comments@lloyds.com.

Renowned worldwide for the ATCA Briefings. Subscribe now.
Home - Profile - Values - People - Careers - Partners - Contact Us
D2 Banking - Bespoke Security Architecture - Digital Risk Management - Tools

Intelligence Briefings - Brochures - Case Studies -
SIPS Methodology FAQ (pdf)
Keynote Speeches - Articles - News Feeds - Glossary (pdf)
Terms and Conditions - Privacy Policy