Traditional re/insurance products do not address the needs of internet-based exposures. By Constanze Brand and Monika Gruber.

Combining computers into a worldwide network was a great idea. Nonetheless, it has created risks that still today are unfathomable in their magnitude. Hackers, viruses, worms and denial-of-service attacks lurk in the internet. For very little effort, they can cause tremendous damage. Every weak point in the security shield is mercilessly exploited. Computer centres are hacked, data is destroyed or altered; system outages, business interruption and lost revenue are the result. The Code Red worm of June 2001 caused $2.6bn in economic damage. In less than 14 hours, 360,000 mainframes were infected. The 1999 `I love you' virus forced employees around the world to work frantically - and unproductively - to contain the damage. The value destroyed by those lost hours: $10bn. In 2000 alone, economic damage from internet viruses totalled $17.1bn, as estimated by Computer Economics. These figures have grown by a factor of 30 since 1995, even though the `super-meltdown' feared by many has not materialised. Yet after the events of September 11, such an event would seem to be distinctly possible. The fear of terror attacks is spreading, and the internet may become an ideal platform for those attacks. DaimlerChrysler's insurers have excluded all losses due to cyber-terrorism from their 2002 covers. The internet has become a monster risk, yet insurance cover has not kept up. Who picks up the tab when the servers go down?

A new dimension of hazard
Though internet risks are really nothing new, the internet has taken familiar risks into a completely different dimension. Problems can manifest themselves in either the legal or the technical area.

The legal risks include the infringement of data protection statutes or of third-party patent rights, industrial property rights, trademark rights or copyright. Also in this area are invasion of privacy, defamation of character and libel.

The technical risks may be classified as either security risks (data integrity and confidentiality) or failure and disruption risks (technical malfunction, non-availability). These include both classical risks and new, digital risks at the following levels:

  • at the physical level - by which we mean a company's buildings, hardware and infrastructure - the classic hazards are fire, force majeure, technical defects, sabotage, and utility service failures. The new digital hazards include the very considerable risk of an attack via the internet. This might happen in any of several ways: virus, e-mail bomb, or through failure of the data network itself;

  • at the software level - that of the operating systems, user applications and data - the classic risks are programming and configuration errors, ineffective security, data theft and the manipulation of programs and data. The digital risks in this area include defective test management, accelerating product life cycles and malicious software - malware - such as viruses, designed specifically to damage or disrupt a system;

  • the organisational/social area - this includes process, personnel and client risks as they apply to IT security - stands under constant threat from human error, insufficient know-how, breach of confidence, careless compliance with security regulations, internal fraud and insufficient controlling. The additional digital risk in this area derives from the increasing complexity of IT systems, from a company's dependency on its IT personnel, or from insufficient or completely unsuitable security management; and

  • at the economic level, the classical threats are the infringement of laws and regulations, sabotage and espionage. These are now joined by the digital risks, for example, from denial-of-service attacks and ineffective security.

    Where is cover needed?
    The new opportunities opened up by technical change have always held new risks. Today, the demand for insurance is increasing rapidly throughout the IT sector in step with mushrooming IT activities. It is clear that new loss scenarios from these activities will eventually open entirely new areas of business to the insurer. However, according to traditional insurance logic, a risk can only be insured if the insurer can define and assess it according to the rules of underwriting practice. At the present time, this cannot be done with internet risks, because they cannot be quantified.

    The traditional concepts of insurance were developed for industry at a time before it became vitally dependent on IT systems. Concepts were developed for individual installations, not for networks. Internet hazards can be complex because they affect both `own damage' and `third-party damage'. However, what is really new about internet risks comes in the liability area. With these covers, both property damage and personal injury fade into the background: most risks manifest themselves as pure financial losses.

    Property covers relate to events that cause a `physical loss or damage'. A `physical loss' is considered as being `physical damage to tangible assets', that is, an object that is permanently damaged in a way that a person can see, and feel, and understand. Data and software as such are not material objects; and as they do not represent a tangible asset in the insurance sense, a loss of data would only be considered as the destruction of an asset that was virtual or intangible. For this reason, damage to data or software - mainly thought of as any undesirable change to data, software or programs as the result of its deletion or the corruption of its original structure - is not property damage as the term is currently understood. A business interruption caused by such an event would not be covered.

    The same applies to damage resulting from impaired function, system non-availability or the non-accessibility of data, software or computer programs. However, at least one American court is at variance with this position. Stretching the concept in the extreme, it states:" is property, so it is covered". The discussion has just begun, and will presumably continue for some time. There are already attempts to expand the property damage concept to include damaged or lost data.

    To date, however, the wordings of general insurance conditions for property and technical insurance recommended by the German Insurance Association (GDV) cover lost or damaged data only when it is a `secondary loss': the data loss or damage must itself result from insured property damage caused, for example, by fire or explosion.

    In such cases, the insurer must indemnify the replacement cost of the data and software up to the agreed cover limit. However, in the present view, there is no cover for data or software losses due to virus infection or system malfunction. Damage due to computer viruses as well as data manipulation or loss caused by hacker intrusions was originally covered in Clause 028, recommended by the GDV in 2000. Now, however, it is no longer included in reinsurance covers.

    Traditional business liability and product liability covers do not include media and malfunction risks in their general insurance conditions; and in the current legal situation, security risks are also denied cover unless the loss of data can be classified as property damage.

    In sum, it can be stated that most covers, whether inadvertently or intentionally, do not include the new risks, or include them only in very rudimentary form.

    The present tendency simply to expand the classic property and engineering covers to include primary damage resulting from system outages, malfunctions or non-availability is quite disturbing. Such an attempt would completely change the character of a risk portfolio. To extend covers automatically to include primary losses would expose re/insurers to uncontrollable, unmanageable and unquantifiable accumulation losses, where a single common cause might generate a great number of claims. The accumulation risk posed by a virus attack; the business interruption caused by the disruption or failure of external networks - such scenarios will be an enormously difficult challenge for the insurance industry. A single event of the type described above can lead to impossibly complex accumulation problems. Due to the tremendous number of individual losses that can result from such a single event, even limited cover for this type of risk could quickly push the entire reinsurance market to the limits of its capacity.

    With earthquakes and other natural hazards, there are models for delineating and assessing the accumulation threat. In the IT sector, with the boundless nature of the internet, this is not yet possible. To calculate a premium for accumulation events, one must have an exact event definition; one must know the mean occurrence probability, expected loss amount and other factors. In addition, other loss accumulations from other lines of insurance, known and unknown, must be considered. When events do greatly exceed loss expectations, these would then be recorded and factored into revised premium calculations. Yet internet risks are not comparable with conventional accumulation risks such as natural catastrophes. New calculation methods must be found.

    For these reasons, reinsurers can offer no cover for software or software business interruption risks (including virus attacks), or for service interruptions in external networks. In current insurance policies, long-term loss of income and loss of reputation are excluded, as it is hardly possible to quantify them.

    Yet no one would dispute that there is a real, new demand. To satisfy it, new, special products must be developed. Internet-specific hazards should only be covered by separate policies with separate conditions, limits, retentions and premiums. The overriding objective must be a completely transparent risk situation. A melange of conventional and IT covers should be avoided at all costs. Traditional business liability policies, as mentioned above, quite generally do not cover media and malfunction risks, and in the current legal situation, security risks are also denied cover unless the loss of data can be classified as property damage.

    Special insurance protection
    For the present, it can only be said that traditional insurance logic excludes every risk that cannot be defined exactly and generally understood. Is this bad news for companies with IT exposure? However there is light at the end of the tunnel. Though the modification of existing products has proven much too difficult in most cases, new tools for transferring internet risk are under development. The new products differ greatly in their approach and scope of cover. As no reliable risk and loss data exists at present, it must be stressed that these are the first, rudimentary attempts to manage these new risks. The future will determine to what extent these new products need further modification to suit real-world conditions.

    The products offered range from pure liability covers to pure business interruption covers. In addition, the American and Anglo-Saxon markets have developed `all risk' cover packages: combined products that address all IT insurance needs. To counter the higher exposures, some insurers are limiting themselves to special groups of clients: private individuals, small businesses with information websites, or web server operators.

    Others insist that their policyholders work together with a reputable IT security firm. The scope of cover varies enormously from one product to another, from `all risks' to `named perils'.

    Problems as standard
    The gravity of the trends sketched out above puts existing concepts under pressure to adapt. Both direct insurers and reinsurers have begun making preparations for the new internet risks. They are searching for new cover concepts, because standard products are having increased difficulty coping.

    The situation calls for tailor-made products. Managing these risks successfully depends on identifying them and assessing them properly. As such, this is nothing new. Ten years after the invention of the automobile, who could have imagined that Germany would suffer almost 8,000 traffic deaths per year, each year? Who could have predicted the risks and the covers that have developed in response? It takes a while to understand the risks - and the losses. At present, we still have too little experience in handling internet claims. Ultimately, though, it will be those claims that help us find effective methods to mitigate and finance internet risk.

    By Constanze Brand andMonika Gruber

    Constanze Brand is head of the Cyberli@bilities project at Swiss Re Germany. Monika Gruber is an insurance economist in the marketing communications area of Swiss Re Germany.