Robert Goldhawk gives an insurer's eye view of the risks of cyberspace.
"In five years time all companies will be internet companies, or they won't be companies at all" – Andy Grove, chairman of Intel.The rapid trans-national expansion of computer networks and the growth of the Internet have created many opportunities for business. They are also creating many new dangers.
Computer systems offer new opportunities for criminal activity, as well as creating the potential to commit traditional crimes in a non-traditional manner. The law itself has not kept pace with the technological change. As well as fraudulent activity, organisations and individuals are also exposed by virtue of their reliance on technology in areas such as defamation, intellectual property rights, misuse of confidential information and breaches of statutory privacy rights.
In February 1998 the UK Audit Commission published a paper entitled Ghost in the Machine, which analysed responses from 900 private and public organisations in the United Kingdom. The survey confirmed that there had been a significant increase in IT fraud. Indeed, 45% of all the organisations who participated recorded IT fraud. Other findings included that viruses were the most common form of computer abuse and that hacking had trebled over the last year. It was also found that internet access exposed organisations to an increased risk of computer abuse.
Cybercrime is essentially the unauthorised access to and use of computer systems. The number of verifiable computer crimes is, however, a moot point. It has long been accepted that the recorded computer crime statistics do not represent the actual number of offences. This is for two main reasons:
• Sophisticated technology and the intangible nature of computer held data ensures that computer crime is difficult to detect.
• Some victims are unwilling to divulge information about their operations for fear of adverse publicity or loss of investor or public confidence.There used to be an unwritten security rule within the IT industry that systems containing confidential information should not be connected to the internet. Today, however, many companies must connect their networks to the internet to support their business processes.
Being online, the company will always be susceptible to some kind of damaging attack. Any security mechanism will have some kind of weakness. This could range from new technology which renders the strongest encryption useless down to straightforward bribery or blackmail of the system administrator.
Hacking and viruses
Hackers and viruses pose different threats. A hacker does not have to commit a fraudulent act in order to cause damage and financial loss. The UK has seen a number of high-profile web sites being altered by hackers leading to a financial cost of rectification, as well as the obvious embarrassment.
A group of British hackers, calling itself the Digital Anarchists, made repeated attacks on the Labour Party internet site, replacing a picture of Tony Blair with his Spitting Image puppet and headlining the site with “New Labour – Same Politicians. Same Lies”. A previous attack replaced Mr Blair's response to the budget with a live sex show.
In February 1999 a disgruntled computer hacker took revenge on the creator of an IT security system by changing the man's bank details and making it impossible for him to sell his house or get a mortgage. The hacker added six default notices and a county court judgement to the victim's financial records.
There is no such thing as a harmless virus. Even the most benign virus affects a network and needs to be removed which costs time and money. All viruses operate in essentially the same way. Viruses are parasitic software designed and written to enter and alter a computing system without the knowledge or permission of the owner. They attach to files or boot sectors and replicate themselves, thus, continuing to spread.
The danger, both real and perceived, posed by viruses has been well publicised. In March 1999, an e-mail virus called Melissa brought almost 60 major companies in the United States to a halt and affected thousands more throughout the world.
The internet has been portrayed as the last great frontier - an unregulated and anarchic medium which cannot be controlled. In reality, the internet is over-regulated because the laws of every country in the world apply to it, which exposes companies to risks of which they may be completely ignorant.Which risk manager or insurance broker would happily advise a UK board of directors on the libel risks that they are facing in Asia by virtue of having an accessible web site? Or whose intellectual property rights they may be infringing? The list is potentially endless and has the capacity to be financially very costly.
Cyber technology and e-commerce will revolutionise the way all business is conducted. In turn, this will drastically alter traditional perceptions of risk. At the moment we are in a strange situation – governed by laws which did not even consider the implications of the internet. However, the insurance industry has a duty to respond to the needs of its clients. It must be seen to provide cover for its clients as they confront different risks while conducting their business in a different way.
Robert Goldhawk is senior underwriter, financial services division, Hiscox Insurance Company Ltd.
Tel : +44 (0) 207 448 6000; fax: +44 (0) 207 448 6910; e-mail: firstname.lastname@example.org.