Back to National Journal
5 of 77 results     Previous Story | Next Story | Back to Results List

07-20-2002

NATIONAL SECURITY: Insurance Agents Guard the Cyber-Gates

Industrial Age warfare demanded GI Joes, armored tank divisions, and lots
of artillery. Information Age warfare demands all of that, plus auditors,
insurance agents, investment analysts, lawyers, and other
briefcase-carrying experts.

This army of gray flannel may, in fact, be the only one powerful enough to nudge, prod, and even threaten America's cautious corporate boards to jump with both feet into making their companies more secure against massive cyber-attack.

For several years now, government anti-terrorism officials have been urging the private sector to make its computer-controlled infrastructure resistant to enemy attack. After all, much of this infrastructure-things such as the nation's power grid, banking system, telephone network, and even the online marketplace-is critical to the nation's economy and defense even though it is privately owned.

But companies have been reluctant to spend much money on cyber-defense. Skepticism about the likelihood of a carefully planned attack, as opposed to those from random viruses, is one reason. Another reason is that the companies worry that if they acknowledge the risk, they will be liable to lawsuits by shareholders if they don't do enough to lessen that risk.

And this is where the marketplace comes in. Federal officials, including Richard Clarke, the White House's cyber-space security chief, are promoting a greater role for insurance companies and auditors in the national cyber-defense plan. It is these industries that can put the financial pressure on corporations to do more in cyber-defense.

One possible approach, say government security experts, is to apply marketplace pressures that would spur companies to buy computer-security insurance, just as they now buy flood and fire insurance. But progress here has been greatly slowed by the inability of corporate boards, and of insurance companies, to measure the risk of computer attacks. How much business would be lost in a cyber-attack? Hard to say. How would losses mount if a cutoff in online service caused a massive decline in consumer confidence in Internet transactions? Hard to say, and hard to measure.

The caution is even greater among reinsurance firms-those companies that buy large blocks of insurance policies from the insurance companies. Claims filed after the 9/11 attacks hit reinsurers hard, and a cyber-threat, such as a fast-spreading computer virus that might be unleashed by anarchist hackers, could hit the reinsurers hard again.

But the needed risk calculations are now emerging from the audit industry, said Charles Le Grand, director of technology practices for the Institute of Internal Auditors, a professional group based in Altamonte Springs, Fla. As more and more companies perform "cyber-security" audits, professional expertise grows, and auditors will develop better standards of good professional conduct, Le Grand said.

Some insurance companies have already stepped into the ring. For example, the New York City-based American International Group, one of the nation's largest, sells insurance against hacker attacks, but only if a client's board shows that it is taking reasonable steps to protect its company from hackers. Unless the board takes those steps, AIG's insurance policies hold the company's directors and officers personally liable for a hacker attack on the company or its business partners. This emerging marketplace is "beginning to influence the thinking of companies in a constructive way," said Harris Miller, president of the Information Technology Association of America, an industry group based in Arlington, Va.

There's a schism, however, between the suppliers of information-technology gear-computers, software, telecommunications devices-and the users of that gear, such as the banks, oil and gas companies, and telecommunications companies. Each sector argues that the other should take the lead in cyber-security; each side wants to minimize its own liability in the event of an attack. This has meant delays.

So to encourage new insurance and security programs, federal officials met on June 20 in Washington with executives in the auditing and insurance industries to plan the next step. "There was agreement that the federal government wanted to be involved in awareness and education, and perhaps [in giving] research and development dollars," said Ty Sagalow, who heads the information-security insurance division at AIG. Plans, and a schedule, for a new awareness campaign are now being prepared, he said.

One easy option, Miller said, is for the Securities and Exchange Commission to direct that company boards include a discussion of cyber-risks in their required financial reports. Another option, industry officials said, would be for the government to sponsor the reinsurance of cyber-risks, thus ending the possibility that private insurance companies would be bankrupted in a massive cyber-attack.

If companies move on their own initiative, a national cyber-defense system can emerge quickly, "as soon as three to five years," Le Grand said. However, "if other things happen that distract our attention, it could be the end of the decade." Other experts say that companies may have to be forced into acting. Mary Guzman, the Atlanta-based vice president for the insurance advice firm Marsh Inc., said it may take "some savvy plaintiffs' attorney" with an expensive lawsuit before company boards take action.

Neil Munro National Journal
Need A Reprint Of This Article?
National Journal Group offers both print and electronic reprint services, as well as permissions for academic use, photocopying and republication. Click here to order, or call us at 202-266-7230.

5 of 77 results     Previous Story | Next Story | Back to Results List