< Magazine Index > < Index For This Edition > < Subscribe >

Let's put Y2K to bed now, finally, but also try not to forget the incredibly huge amount of time and capital that was spent on protecting technological and intellectual property.  The same principles behind that need for protection are emerging again as e-commerce companies, some with a presence solely in cyberspace, face the threat of huge liabilities at the hands of a multitude of perhaps unforeseen risks.

If something goes wrong with the cash register at the corner store, it's fairly easy for the parties involved to navigate around the problem and make that transaction for a carton of milk.  However, when that corner store is an e-commerce company based in Singapore with a potential client in Ireland and a crashed server, well, it's a little more complicated than just digging in a pocket for exact change.

With that, and a plethora of other issues, in mind, it was only a matter of time before a market slowly gathered steam in terms of the risk management and insurance of e-commerce companies.  Laws governing the Internet are in their infancy, those few that have been born, and uncertainties abound.

Regulatory challenge

As Joe Tighe, the chairman and co-founder of IndexTrade.com, a recently-launched offshore online index-trading company based in Antigua, puts it: "The regulatory bodies have to recognize that technology will always outpace legislation, and that they have to adjust.  Regulatory bodies have a very important role, and they need to take into account the global aspects of e-commerce.  I'm sure that they will eventually come up with a regulatory platform that will work . . . but, it's just so hard to react to eight million people trying to develop new technology."

Commissioner Orson Swindle of the Federal Trade Commission (FTC) addressed some of these regulatory issues before the Subcommittee on Communications Commerce, Science and Transportation Committee of the United States Senate on July 27, 1999.

" . . . Imposing additional laws and regulations on that which we do not yet fully understand could produce incredibly-negative unintended consequences," he said in written remarks published on the FTC's Web site.  "Imagine this scenario: first of all, massive numbers of unintended or innocent violations of the new law will likely occur.  Commercial Web sites are increasing at almost 10% a month.  The overwhelming majority of these violations would be by entrepreneurs seeking to market a product on the Internet without understanding the new requirements or not possessing the technology or the resources to comply.  The regulators, armed with the new law, would, of course, have to enforce it.  Imagine the scope of this task and the likely effects on entrepreneurs."

So what we're left with at this point, is a fast-growing and generally-unregulated online environment with much uncertainty and no precedent.  Retail consumer purchases over the Internet totaled $3 billion in 1997, $9 billion in 1998 and were expected to approach $30 billion by the end of 1999, so the scope of these risks as they affect e-commerce is only becoming more relevant.

Insuring offshore risks

Some risks may be further enhanced by being offshore in the eyes of insurance professionals providing Internet coverage.  Matthew Norris, synergy underwriter for Hiscox, a cyber liablility insurance provider on the Lloyds of London market, admits there are some possible "bad features" to being offshore in terms of cyber risk, but stresses that individual cases are examined on their own merit, and that his company is "much more concerned with what they [businesses] do rather than where they are."

Publishing liabilities:  Today, everyone is a publisher, as the Internet is essentially being treated as a broadcasting media by US courts.  If you have a Web site or use e-mail, you face the same liabilities as, say, a magazine reporter.  Defamation, misuse of confidential information, infringement of privacy, copyright, patents, trademarks, trade secrets and other intellectual property, are all relevant.

Hackers:  Immortalized, and perhaps wrongly-portrayed by Hollywood, as a group of bleached-blond teenaged anarchists out to dismantle the tools and trappings of society, in reality, they are a serious and recognized threat to computer systems worldwide. 

If a network or server is compromised by an outside attack, an e-commerce company could be exposed to enormous third-party liability claims.  And, as more and more confidential data makes its transformation to electronic form, more and more hackers are going to find ways to access it.

For offshore centers, Norris says e-commerce companies may face further risk in this case.  "It is argued that people are currently hacking the most visible targets, where there is obvious wealth," he says.  "Targeting an offshore location due to its perceived wealth does not seem impossible to imagine."

Viruses:  There are viruses out there that can automatically erase crucial contents of your computer's hard drive.  In a networked organization, the damage to one computer can result in significant financial loss throughout the directly-connected online community.

Viruses can originate from employees, the Internet, spam e-mails and other sources, even by accident.  How much value do you place on the information currently stored on your computer? 

How much value do e-commerce service providers place on the information stored on their computers?  Enough said.

Technical malfunction and security:  Going back to the example we started with, the simple fact is that if an e-commerce company's server is down, or if for some other reason is not online, the sign in the virtual storefront has been effectively flipped from Open to Closed.  And, the more time spent offline means the more money and return clients that have been lost.

"Some companies have tended not to buy large enough bandwidth offshore," says Norris, addressing a possible further question of technical risk.  "Each landing for a submarine fibre-optic cable costs money and normally they target a dense population of users.  This may even lead to non-cable bandwidth (satellite or even microwave).  In this way, availability and cost of bandwidth may discourage users from buying enough and so system unavailability may occur, and losses."

Another concern may be security.  "Broadly speaking, companies who have set up offshore for cost savings may tend to spend less on technological security," says Norris.

Cyber fraud:  No, it didn't take long for fraudsters to embrace the anonymity offered by perpetrating scams on the web.  As electronic correspondence becomes legally binding, there could also be situations in which criminals access and use others' electronic signatures to commit fraud.

Regulation:  The less-than-stellar international view of regulation in some offshore jurisdictions could also affect the availability of coverage.  "Most, or all, countries are very undeveloped in terms of Internet law," says Norris.  "It may be that offshore locations are even less developed.  Uncertainty about the legal situation would tend to make our premiums higher."

These are a few of the big examples, but in reality there are many possible pitfalls for those involved in online transactions, both onshore and offshore.

"The risks from liability haven't changed, you're just in a worldwide jurisdiction," explains Chris Cotterell, the director and co-founder of SafeOnLine Ltd., a London-based insurance intermediary that offers cyber coverage.  "What has changed is that you've [offshore companies] moved away from your core service providers.  You're now just linked by a telephone line, and have outsourced many of the services that you used to have in-house."

Now, to the question of how to insure this cyber liability.  There are standard existing products that can provide some coverage, such as media-publishing liability or banking computer crime insurance, but the best bet may be a product specifically designed for Web-based risks.

Some of the options

The insurance industry has started to recognize the risks, and coverage policies have been, and continue to be, developed.  In many cases, it seems to have been a question of moving the scope and experience of some existing insurance policies into a cyber context.  Instead of protecting your office and hard-copy files with property insurance, you may now decide to protect your hardware, software and electronic information with some form of cyber insurance.

"The risk is still there, it's just about putting the risk in a different category," explains Cotterell.  "The market has to be able to change with it day by day."

Over a year ago, IBM and Sedgwick joined forces to provide one of the first comprehensive safety nets for companies involved in e-business.  Their cooperation provides risk assessment, risk control and risk transfer components.  Initially, IBM performs a "health check" on prospective customers.  This assessment of a company's Internet-based activities and internal computer network defines the scope of its risk, and how it can potentially be reduced through a combination of risk control measures and insurance coverage.

Many of the other insurance products available for e-commerce liability go hand-in-hand with this form of risk assessment and control.

Hiscox launched its Cyberliability coverage on August 13, 1999.  It covers various risks of cyber vandalism such as hacking and Web site damage and cyber fraud or crimes committed via computer–including the misuse of electronic signatures.

SafeOnLine has been in operation since early 1999, and offers a wide range of policies to insure Internet liabilities.  "What we've done, and realized, is that the risks are the same risks that already existed, but the quantitative nature of the risks is higher," says Cotterell. 

The company provides coverage with portfolios ranging from protection of credit card purchases over the Internet to cyber terrorism.

Cotterell describes an unsettling example in which one bank's information technology employee sent an e-mail to his employers telling them that he sabotaged part of his work on the bank's Y2K compliance upgrade.  The employee then demanded a large sum of money in return for the coding to repair the problem.  Cotterell says the bank paid.

"I know a number of such examples, and they [banks] will pay rather than try to fight it," he says.  "It's all going on out there and it's only going to get worse.  It's a more opportunistic fraud system.  You don't have to go to the bank to rob the bank anymore; you just have to go to a computer terminal."

In a recent report conducted by the General Accounting Office, the investigative arm of Congress, a review of banking regulators' examinations of 81 financial institutions found that 35 hadn't taken all of the risk-limiting steps regulators feel are needed.  SafeOnLine is in the process of developing an online banker policy that should be available early this year.

The answers are being worked on, and options are already available for individual e-commerce insurance risks.  It is a young market for a young industry, and the next few years are going to see further change. 

More and more companies will realize their needs for risk assessment and insurance coverage while increased regulation of the industry will inevitably take place.  All of these factors will affect the insurance market, and it will be up to insurance professionals to keep pace.

"Underwriters right now are basing their rates on things that have been done before," says Cotterell.  "As more statistical data becomes available to the industry, you could potentially see rates going up in certain areas."

At the same time, it will be crucial for appropriate security measures to be taken before, or in accordance with, relevant insurance policies.  Network security architecture, audits and constant monitoring will be necessary. 

Staying on top of technology in terms of things like firewalls to protect network servers will also be important, but remember, those locks have been made by people, and can also be picked by people.  Such concerns are going to keep the players in this young insurance market busy in the coming years.

"There are a lot of uncertainties, and the insurance industry has been incredibly slow in embracing it," says Cotterell.  "But, people really aren't so worried about a fire in their building anymore."
 

Mark A. Heard is a reporter and assistant editor with Offshore Finance USA magazine. [Copyright 2000 O.F.C. Publications Inc. This article was published in the January/February 2000 issue of Offshore Finance U.S.A. magazine]