By MARYANNE MURRAY BUECHNER
Posted Feb. 05, 2006
When 21-year-old Web entrepreneur Alex Tew received a $50,000 ransom
demand last month, he remembers thinking, "There's no way on earth I'm
paying these guys." Hackers had kidnapped Tew's Million Dollar
Homepage, an advertising website, crippling it with a flood of data.
Thousands of dollars, six days and two security teams later, the site
was back up. "I can understand why gambling sites that accept
thousands of dollars a day could choose to pay and be done with it,"
Tew says, "but I made a point of standing firm."
As cyberextortion schemes become increasingly common, their targets
have another choice: cyberinsurance. Demand for this emerging category
of insurance, which will even cover a ransom payment, has jumped as
more companies--and not just tech firms--depend on digital networks to
do business. Written premiums topped $200 million in 2005, up from
$100 million in 2003, according to Aon Financial Services Group
managing director Kevin Kalinich, as corporations realize they have to
guard against liability in addition to the hackers themselves.
The rise of the hacker as extortionist reflects a broader change in
hacker culture. "It used to be teenagers looking for bragging rights,"
says Johannes Ullrich, chief research officer for the SANS Institute,
a security think tank. "Now it's done for profit." And it's done from
anywhere in the world, so catching the bad guys can be complicated.
Ullrich estimates that there are 10 or 20 cases a day, compared with
virtually none three years ago. More sophisticated viruses, spyware
and other forms of malicious code, meanwhile, are the new weapons of
choice for committing identity theft, bank fraud, even industrial
espionage. Computer crime costs U.S. businesses an estimated $67.2
billion a year, according to the FBI.
There are two sides to cyberinsurance: first-party coverage helps
companies recover losses owing to, say, a network outage. Many
first-party policies also include payments to hackers holding your
website or customer data hostage, says ACE USA underwriter Brad Gow.
Third-party liability covers legal expenses if security fails and
someone sues. Annual premium payments range from $7,500 for a
medium-size ($25 million in sales) company to hundreds of thousands of
dollars for a multinational corporation, according to AIG. To qualify
for coverage, companies must adhere to internationally accepted
security standards. "You never know what you're going to come up
against," says Moira Mooney, senior risk manager for InterActiveCorp,
which owns several online businesses. "Having the insurance is a
What has really kicked things off for the cyberinsurance market is new
legislation, in effect in some 20 states, that requires companies to
notify customers when their personal data may have been compromised.
There were 134 such breaches last year, potentially affecting more
than 57 million people, according to the Identity Theft Resource
Center. "Companies used to bury this stuff," says Chris Hoofnagle,
senior counsel for the Electronic Privacy Information Center. Now that
they must go public, buying insurance can reduce liability risk.
Insured or not, the top priority is still prevention. Procter &
Gamble, for one, eschews cyberinsurance. "What would be scary for us
is if we lost critical data--about R&D, our supply chains, even a
marketing plan--to our competitors," says chief information officer
Filippo Passerini. "There's no insurance that could cover all the
InfoSec News v2.0 - Coming Soon!