07-20-2002

NATIONAL SECURITY: Insurance Agents Guard the Cyber-Gates

Industrial Age warfare demanded GI Joes, armored tank divisions, and lots
of artillery. Information Age warfare demands all of that, plus auditors,
insurance agents, investment analysts, lawyers, and other
briefcase-carrying experts.


This army of gray flannel may, in fact, be the only one powerful enough to
nudge, prod, and even threaten America's cautious corporate boards to jump
with both feet into making their companies more secure against massive
cyber-attack.


For several years now, government anti-terrorism officials have been
urging the private sector to make its computer-controlled infrastructure
resistant to enemy attack. After all, much of this infrastructure-things
such as the nation's power grid, banking system, telephone network, and
even the online marketplace-is critical to the nation's economy and
defense even though it is privately owned.


But companies have been reluctant to spend much money on cyber-defense.
Skepticism about the likelihood of a carefully planned attack, as opposed
to those from random viruses, is one reason. Another reason is that the
companies worry that if they acknowledge the risk, they will be liable to
lawsuits by shareholders if they don't do enough to lessen that
risk.


And this is where the marketplace comes in. Federal officials, including
Richard Clarke, the White House's cyber-space security chief, are
promoting a greater role for insurance companies and auditors in the
national cyber-defense plan. It is these industries that can put the
financial pressure on corporations to do more in cyber-defense.


One possible approach, say government security experts, is to apply
marketplace pressures that would spur companies to buy computer-security
insurance, just as they now buy flood and fire insurance. But progress
here has been greatly slowed by the inability of corporate boards, and of
insurance companies, to measure the risk of computer attacks. How much
business would be lost in a cyber-attack? Hard to say. How would losses
mount if a cutoff in online service caused a massive decline in consumer
confidence in Internet transactions? Hard to say, and hard to
measure.


The caution is even greater among reinsurance firms-those companies that
buy large blocks of insurance policies from the insurance companies.
Claims filed after the 9/11 attacks hit reinsurers hard, and a
cyber-threat, such as a fast-spreading computer virus that might be
unleashed by anarchist hackers, could hit the reinsurers hard
again.


But the needed risk calculations are now emerging from the audit industry,
said Charles Le Grand, director of technology practices for the Institute
of Internal Auditors, a professional group based in Altamonte Springs,
Fla. As more and more companies perform "cyber-security" audits,
professional expertise grows, and auditors will develop better standards
of good professional conduct, Le Grand said.


Some insurance companies have already stepped into the ring. For example,
the New York City-based American International Group, one of the nation's
largest, sells insurance against hacker attacks, but only if a client's
board shows that it is taking reasonable steps to protect its company from
hackers. Unless the board takes those steps, AIG's insurance policies hold
the company's directors and officers personally liable for a hacker attack
on the company or its business partners. This emerging marketplace is
"beginning to influence the thinking of companies in a constructive
way," said Harris Miller, president of the Information Technology
Association of America, an industry group based in Arlington, Va.


There's a schism, however, between the suppliers of information-technology
gear-computers, software, telecommunications devices-and the users of that
gear, such as the banks, oil and gas companies, and telecommunications
companies. Each sector argues that the other should take the lead in
cyber-security; each side wants to minimize its own liability in the event
of an attack. This has meant delays.


So to encourage new insurance and security programs, federal officials met
on June 20 in Washington with executives in the auditing and insurance
industries to plan the next step. "There was agreement that the
federal government wanted to be involved in awareness and education, and
perhaps [in giving] research and development dollars," said Ty
Sagalow, who heads the information-security insurance division at AIG.
Plans, and a schedule, for a new awareness campaign are now being
prepared, he said.


One easy option, Miller said, is for the Securities and Exchange
Commission to direct that company boards include a discussion of
cyber-risks in their required financial reports. Another option, industry
officials said, would be for the government to sponsor the reinsurance of
cyber-risks, thus ending the possibility that private insurance companies
would be bankrupted in a massive cyber-attack.


If companies move on their own initiative, a national cyber-defense system
can emerge quickly, "as soon as three to five years," Le Grand
said. However, "if other things happen that distract our attention,
it could be the end of the decade." Other experts say that companies
may have to be forced into acting. Mary Guzman, the Atlanta-based vice
president for the insurance advice firm Marsh Inc., said it may take
"some savvy plaintiffs' attorney" with an expensive lawsuit
before company boards take action.


Neil Munro

National Journal