As increasing volumes of business are transacted using internet-based systems, re/insurers need to ensure information security.
For years, experts have cried out for the business world to take information security seriously. However, the cost of proper security was often greater than the risk of loss, and companies were hesitant to introduce measures that might inconvenience clients.
The terrorist attacks of 2001 transformed the dialogue on information security into a front burner issue. Security can no longer be classed as a mere technical problem: it is a lasting legal issue and a major risk category for most companies.
The re/insurance sector plays an interesting role in this change. Although the industry is often portrayed as technophobic, the large re/insurers are enthusiastic users of e-mail, extranets for brokers and clients, wireless networks, and remote access for travelling employees. Quietly, e-business has become crucial to their operations. As a result, re/insurers - and Bermuda-based ones in particular - are turning to digital certificates and other means to protect their operations and reputations.
At the same time, re/insurers are actually fuelling the wider corporate focus on security by excluding digital risks from most standard policies. In short, the cost of inadequate security is now unacceptable to most businesses.
Government efforts to require or encourage security have had a limited affect on corporate behaviour. However, now that poor data security may impact the bottom line - through increased insurance costs - many companies are actively surveying their options.
No security, no deal
In the past, security was viewed as a defensive move to protect systems from external attack or compromise. But today, with our reliance on e-mail and extranets, security has become key to doing business online with customers and partners. Without security, there can be no trust. And without trust, there may be no business.
Trust has always been important between business partners. But with e-business, companies also need to trust the transaction itself. This means that when online communications replace personal contact, users need to verify each other's identities. When transactions depend on computer or network availability, users need to know that these will work properly. Government efforts to require or encourage security have had limited effect on corporate behaviour. And when data is stored electronically, users must be confident that it is protected and accessible.
Recent laws, such as Bermuda's Electronic Transactions Act (ETA) and the US federal E-Sign legislation, make electronic transactions legally enforceable. However, trust remains an issue. For small transactions, such as consumer purchases, businesses usually take the risk. But for the larger deals that typify the international markets, businesses worry about the enforceability, authenticity and integrity of the communications involved. As a result, the new laws push businesses to implement a level of security that establishes the legal `trust' necessary for safe and enforceable transactions.
In some cases, the law literally requires security. For example, the US has enacted legislation for both the financial services and healthcare sectors requiring providers to implement security to ensure the integrity and confidentiality of client information (the Gramm-Leach-Bliley and Health Insurance Portability and Accountability Acts, respectively). Other legislation, such as the Patriot Act and proposed transportation regulations, require security to positively identify the parties to a transaction.
In other cases, the law pushes businesses to implement security by providing that certain electronic transactions will not be legally binding without taking appropriate security measures. For example, the United Nations Model Law on Electronic Signatures recommends that countries adopt laws basing the enforceability of electronic signatures on an assessment of their level of reliability or trustworthiness.
This is the case in Bermuda, where the ETA gives businesses a legal incentive to implement appropriate security. Under the ETA, the signer of an electronic document is legally presumed to be the person identified by the signature when a certificate is used from an authorised certificate service provider (CSP). Without that presumption, the source of an electronic document must be authenticated in a dispute. QuoVadis is the first authorised CSP in Bermuda.
This legal certainty has great implications in the ways companies do business online. Management companies that previously could not accept client instructions over e-mail, can now accept digitally signed messages. Moreover, larger transactions can be safely conducted online, either using signature plug-ins for familiar desktop applications or new web-based platforms. The new trend is unmistakable: security will be the key to creating enforceable and trustworthy electronic business transactions.
No security, no cover
Last year proved that mega-loss scenarios can occur from entirely unexpected angles. As a result, beginning in January this year, many re/insurers specifically excluded data and other digital liabilities from their cover, along with terrorism. At the same time, both the US and UK have tightened their legislation so that hacking or malevolent computer activity, if motivated by political or ideological belief, may be treated as terrorism.
Most companies remain unaware that their digital risk exposure may not be covered by the standard set of insurance policies, such as business interruption, workers' compensation, property and liability. The insurers argue that they never intended to provide cybercover: when these policies were originally issued, data was not part of physical property; online identity fraud was restricted to credit cards; and viruses and hacking were controllable.
This year is seeing a rapid growth in specialist digital risk insurance products, which focus on a company's information security arrangements, such as digital certificates for identity and privacy, firewalls and intrusion detection systems, as well as threat analysis and monitoring. Good security has become good business.
By Stephen Davidson
Stephen Davidson is vp at QuoVadis Ltd, a Bermuda-based company providing online identity and digital signature solutions to international organisations. More information on QuoVadis can be found at www.quovadis.bm . Stephen can be contacted at: firstname.lastname@example.org .