|
| The Risks
of Offshore E-Commerce - How to Insure Them |
|
| As we soar
steadily onwards into the Information Age, our reliance on technology is
increasing exponentially. By the time this article is published,
assuming that Armageddon hasn't leveled modern human society, that whole
Y2K issue will have been resolved for better or for worse. But, only
after hundreds of billions of dollars were spent by companies, governments
and individuals to rectify the issue caused by those first computer technologists
who didn't fully realize the scope and longevity of their work. |
|
| Let's
put Y2K to bed now, finally, but also try not to forget the incredibly
huge amount of time and capital that was spent on protecting technological
and intellectual property. The same principles behind that need
for protection are emerging again as e-commerce companies, some with a
presence solely in cyberspace, face the threat of huge liabilities at the
hands of a multitude of perhaps unforeseen risks. |
|
| If
something goes wrong with the cash register at the corner store, it's fairly
easy for the parties involved to navigate around the problem and make that
transaction for a carton of milk. |
|
|
|
|
|
| However,
when that corner store is an e-commerce company based in Singapore with
a potential client in Ireland and a crashed server, well, it's a little
more complicated than just digging in a pocket for exact change. |
|
| With
that, and a plethora of other issues, in mind, it was only a matter of
time before a market slowly gathered steam in terms of the risk management
and insurance of e-commerce companies. Laws governing the Internet
are in their infancy, those few that have been born, and uncertainties
abound. |
|
| Regulatory
challenge |
|
| As Joe Tighe,
the chairman and co-founder of IndexTrade.com, a recently-launched offshore
online index-trading company based in Antigua, puts it: "The regulatory
bodies have to recognize that technology will always outpace legislation,
and that they have to adjust. Regulatory bodies have a very important
role, and they need to take into account the global aspects of e-commerce.
I'm sure that they will eventually come up with a regulatory platform that
will work . . . but, it's just so hard to react to eight million people
trying to develop new technology." |
|
|
|
| Commissioner
Orson Swindle of the Federal Trade Commission (FTC) addressed some of these
regulatory issues before the Subcommittee on Communications Commerce, Science
and Transportation Committee of the United States Senate on July 27, 1999. |
|
| " . . . Imposing
additional laws and regulations on that which we do not yet fully understand
could produce incredibly-negative unintended consequences," he said in
written remarks published on the FTC's Web site. "Imagine this scenario:
first of all, massive numbers of unintended or innocent violations of the
new law will likely occur. Commercial Web sites are increasing at
almost 10% a month. The overwhelming majority of these violations
would be by entrepreneurs seeking to market a product on the Internet without
understanding the new requirements or not possessing the technology or
the resources to comply. The regulators, armed with the new law,
would, of course, have to enforce it. Imagine the scope of this task
and the likely effects on entrepreneurs." |
|
| So what we're
left with at this point, is a fast-growing and generally-unregulated online
environment with much uncertainty and no precedent. Retail consumer
purchases over the Internet totaled $3 billion in 1997, $9 billion in 1998
and were expected to approach $30 billion by the end of 1999, so the scope
of these risks as they affect e-commerce is only becoming more relevant. |
|
| Insuring
offshore risks |
|
| Some risks
may be further enhanced by being offshore in the eyes of insurance professionals
providing Internet coverage. Matthew Norris, synergy underwriter
for Hiscox, a cyber liablility insurance provider on the Lloyds of London
market, admits there are some possible "bad features" to being offshore
in terms of cyber risk, but stresses that individual cases are examined
on their own merit, and that his company is "much more concerned with what
they [businesses] do rather than where they are." |
|
|
|
|
|
|
| Publishing
liabilities: Today, everyone is a publisher, as the Internet
is essentially being treated as a broadcasting media by US courts.
If you have a Web site or use e-mail, you face the same liabilities as,
say, a magazine reporter. Defamation, misuse of confidential information,
infringement of privacy, copyright, patents, trademarks, trade secrets
and other intellectual property, are all relevant. |
|
| Hackers:
Immortalized, and perhaps wrongly-portrayed by Hollywood, as a group of
bleached-blond teenaged anarchists out to dismantle the tools and trappings
of society, in reality, they are a serious and recognized threat to computer
systems worldwide. |
|
| For offshore
centers, Norris says e-commerce companies may face further risk in this
case. "It is argued that people are currently hacking the most visible
targets, where there is obvious wealth," he says. "Targeting an offshore
location due to its perceived wealth does not seem impossible to imagine." |
|
| Viruses:
There are viruses out there that can automatically erase crucial contents
of your computer's hard drive. In a networked organization, the damage
to one computer can result in significant financial loss throughout the
directly-connected online community. |
|
|
| Viruses can
originate from employees, the Internet, spam e-mails and other sources,
even by accident. How much value do you place on the information
currently stored on your computer? |
|
| How much value
do e-commerce service providers place on the information stored on their
computers? Enough said. |
|
| Technical
malfunction and security: Going back to the example we started with,
the simple fact is that if an e-commerce company's server is down, or if
for some other reason is not online, the sign in the virtual storefront
has been effectively flipped from Open to Closed. And, the more time
spent offline means the more money and return clients that have been lost. |
|
| "Some companies
have tended not to buy large enough bandwidth offshore," says Norris,
addressing a possible further question of technical risk. "Each landing
for a submarine fibre-optic cable costs money and normally they target
a dense population of users. This may even lead to non-cable bandwidth
(satellite or even microwave). In this way, availability and cost
of bandwidth may discourage users from buying enough and so system unavailability
may occur, and losses." |
|
| Another concern
may be security. "Broadly speaking, companies who have set up offshore
for cost savings may tend to spend less on technological security," says
Norris. |
|
|
|
|
|
| Cyber fraud:
No, it didn't take long for fraudsters to embrace the anonymity offered
by perpetrating scams on the web. As electronic correspondence becomes
legally binding, there could also be situations in which criminals access
and use others' electronic signatures to commit fraud. |
|
| Regulation:
The less-than-stellar international view of regulation in some offshore
jurisdictions could also affect the availability of coverage. "Most,
or all, countries are very undeveloped in terms of Internet law," says
Norris. "It may be that offshore locations are even less developed.
Uncertainty about the legal situation would tend to make our premiums higher." |
|
| These are
a few of the big examples, but in reality there are many possible pitfalls
for those involved in online transactions, both onshore and offshore. |
|
| "The risks
from liability haven't changed, you're just in a worldwide jurisdiction,"
explains Chris Cotterell, the director and co-founder of SafeOnLine Ltd.,
a London-based insurance intermediary that offers cyber coverage.
"What has changed is that you've [offshore companies] moved away from your
core service providers. You're now just linked by a telephone line,
and have outsourced many of the services that you used to have in-house." |
|
|
|
|
| Now, to the
question of how to insure this cyber liability. There are standard
existing products that can provide some coverage, such as media-publishing
liability or banking computer crime insurance, but the best bet may be
a product specifically designed for Web-based risks. |
|
| Some of
the options |
|
| The insurance
industry has started to recognize the risks, and coverage policies have
been, and continue to be, developed. In many cases, it seems to have
been a question of moving the scope and experience of some existing insurance
policies into a cyber context. Instead of protecting your office
and hard-copy files with property insurance, you may now decide to protect
your hardware, software and electronic information with some form of cyber
insurance. |
|
| "The
risk is still there, it's just about putting the risk in a different category,"
explains Cotterell. "The market has to be able to change with it
day by day." |
|
| Over a year
ago, IBM and Sedgwick joined forces to provide one of the first comprehensive
safety nets for companies involved in e-business. Their cooperation
provides risk assessment, risk control and risk transfer components.
Initially, IBM performs a "health check" on prospective customers.
This assessment of a company's Internet-based activities and internal computer
network defines the scope of its risk, and how it can potentially be reduced
through a combination of risk control measures and insurance coverage. |
|
|
|
|
| Many of the
other insurance products available for e-commerce liability go hand-in-hand
with this form of risk assessment and control. |
|
| Hiscox launched
its Cyberliability coverage on August 13, 1999. It covers various
risks of cyber vandalism such as hacking and Web site damage and cyber
fraud or crimes committed via computer–including the misuse of electronic
signatures. |
|
| SafeOnLine
has been in operation since early 1999, and offers a wide range of policies
to insure Internet liabilities. "What we've done, and realized, is
that the risks are the same risks that already existed, but the quantitative
nature of the risks is higher," says Cotterell. |
|
| The company
provides coverage with portfolios ranging from protection of credit card
purchases over the Internet to cyber terrorism. |
|
| Cotterell
describes an unsettling example in which one bank's information technology
employee sent an e-mail to his employers telling them that he sabotaged
part of his work on the bank's Y2K compliance upgrade. The employee
then demanded a large sum of money in return for the coding to repair the
problem. Cotterell says the bank paid. |
|
| "I know
a number of such examples, and they [banks] will pay rather than try to
fight it," he says. "It's all going on out there and it's only going
to get worse. It's a more opportunistic fraud system. You don't
have to go to the bank to rob the bank anymore; you just have to go to
a computer terminal." |
|
| In a recent
report conducted by the General Accounting Office, the investigative arm
of Congress, a review of banking regulators' examinations of 81 financial
institutions found that 35 hadn't taken all of the risk-limiting steps
regulators feel are needed. SafeOnLine is in the process of developing
an online banker policy that should be available early this year. |
|
| The answers
are being worked on, and options are already available for individual e-commerce
insurance risks. It is a young market for a young industry, and the
next few years are going to see further change. |
|
| More and more
companies will realize their needs for risk assessment and insurance coverage
while increased regulation of the industry will inevitably take place.
All of these factors will affect the insurance market, and it will be up
to insurance professionals to keep pace. |
|
| "Underwriters
right now are basing their rates on things that have been done before,"
says Cotterell. "As more statistical data becomes available to the
industry, you could potentially see rates going up in certain areas." |
|
| At the same
time, it will be crucial for appropriate security measures to be taken
before, or in accordance with, relevant insurance policies. Network
security architecture, audits and constant monitoring will be necessary. |
|
| Staying on
top of technology in terms of things like firewalls to protect network
servers will also be important, but remember, those locks have been made
by people, and can also be picked by people. Such concerns are going
to keep the players in this young insurance market busy in the coming years |
|
| "There are
a lot of uncertainties, and the insurance industry has been incredibly
slow in embracing it," says Cotterell. "But, people really aren't
so worried about a fire in their building anymore." |
|
 |
|
|
