The weakest link?

A key recommendation from the Department of Trade and Industry and PricewaterhouseCoopers' Information Security Breaches Survey 2004 was that businesses need to invest appropriately in security controls to mitigate the risks or - in insurance - to transfer them, so there has never been a better time to raise the topic of network security.

Many organisations have increased productivity by becoming heavily reliant on their computer networks and the internet. The creation of automated, real-time business processes has enabled organisations to significantly improve efficiency in a range of vital areas, from purchase information, keeping track of stock levels and sales trends to internal accounting, customer relationship management and fulfilment. However, this growing dependency on technology brings serious risks.

There are numerous risks facing an organisation's computer network and the data it holds. These are generally broken down into two headings: accidental and malicious. Accidental risks include human error, accidental damage, natural disasters and power failures. The malicious risks are from breaches of network security such as hacking - from both inside and outside the network - denial of service, and malicious code, such as viruses or worms, and computer fraud.

Friend and potential foe

Outsourcing is often seen as a practice performed by large companies, about 66% of which wish to either make cost savings or concentrate on their core business, with the service being governed by a service-level agreement contract. SMEs are beginning to anticipate benefits from outsourcing, and many already use facilities.

Some services have always been outsourced, for example, the use of an internet service provider. Cost savings are possible as their customer does not need to recruit expensive non-core skills. Outsourcing service providers can exhibit economies of scale, both through manpower and skills as well as hardware and network infrastructure. Additional savings can be made if the operation is relocated.

Outsourcing technology and data services, such as transaction processing, billing and collections, are common across many industries and businesses. But, they are especially vulnerable to the losses mentioned. Quite simply, the responsibility for protecting the network cannot be outsourced. The consumer backlash and associated negative publicity, possible class-action suits, significant fines and diminished investor confidence are likely to occur regardless of who is standing watch when network security is compromised.

Traditional property insurance policies generally do not cover losses to data and the flow of data. This damage to intangible property is also excluded by data exclusions, for example: destruction, distortion, or alteration of electronic data, inability or failure to receive or use electronic data. However, this exclusion does not apply in the event that a physical loss has caused any of the matters described above. Traditional types of insurance only protect physical electronic assets such as computer terminals and telephones.

The result is that companies can be vulnerable in the event of a major computer attack and reliant solely on their technology solutions. But technology alone cannot guarantee network security. In order to protect digital assets and reduce liability exposures, specialised insurance solutions are required.

Network exposures

Against the backdrop of risks and restricted cover, it is important for brokers to assess both the exposures and adequacy of cover for their own businesses and their clients. This can be approached in a three-step process:

Step one - assess the current insurance programme protection for the following losses: breaches of network security, cyberattacks (non-directed, self-propagating viruses, worms and other malicious code); invasion of privacy and identity theft; cyberextortion; digital forgery; business interruption and disaster recovery (denial or impairment of e-service, denial of service and cyberattacks); theft of confidential information by employees, customers or hackers; theft of confidential information via copying; loss arising at non-proprietary (non-owned) systems and networks, i.e., IT vendors and outsource partners.

Step two - identify the company's reliance on its computer network and where a denial of access to these systems and/or the data and a failure of systems to function properly or the loss of information or tangible assets through the unauthorised manipulation of computer systems/programs can cause catastrophic loss.

When these business processes are not available to users, there is downtime and very often business grinds to a halt. And when business stops it gets expensive.

Outsourcing also needs to be identified, as it brings new risks to the company's balance sheetthat would not be addressed under the SLA contract. For example, loss of revenue and financial loss caused by unplanned outage or traditional types of property insurance would not generally cover damage to brokers' data/systems. The problem here is that these traditional property policies often only protect physical electronic assets such as computer terminals and telephones, not the loss of data or data flow.

Data loss and damage

By outsourcing, organisations have become one step removed from those that access their network and critical systems. Any loss of data and corrupted software programs will cause a loss of revenue and data recovery costs. To ensure this is mitigated, the following perils need to be managed:

Accidental damage or destruction of data media so that the corrupted data cannot be understood by a computer. Modification or loss of data can be due to: electrostatic build-up or electromagnetic disturbances; natural disasters or the consequences of lightning; malfunction, failure or damage to the computer system or the supply systems, including air-conditioning units, generators providing an independent power source, power standby units, frequency changers and other units that help to ensure that electronic units are ready for operation at all times; peripherals and data lines used for data transmission; and failure in power supply or over/under voltage.

It is also important to ask where the data is managed, for example, at the insured's premises or other external places of operations; if another company has been authorised by the insured to process the insured data, including maintenance facilities; at the external backup storage facilities and during transmission in respect of data; and during transportation in respect of data media.

Step three - the risks and threats to organisations are real and growing in sophistication. Downtime can be very expensive, and calculating the cost to an organisation and, therefore, the required sum insured involves an assessment of the following key aspects.

The number of employees impacted and the extent of the impact varies between departments and is based on their reliance on the network to carry out their roles. Some departments can find alternative ways of functioning if a critical service is not available. The aim is to estimate each department's decline in productivity as a percentage of typical output and review the averages of the different departments to estimate reasonable organisation-wide average.

Average employee cost per hour needs to be assessed, as working with both human resources and finance departments will provide costs per-hour based on salary, benefits and overheads.

The number of annual downtime hours. This measures the time lapse after which IT system downtime will affect the turnover and have adverse consequences on relations with clients. For example, a medicine wholesaler may face immediate problems for a pharmacy that needs a four-hour delivery time. If their supplier is unavailable, they will look for an alternative source, effectively, a competitor.

It is vital to fully document downtime and to avoid 'wild guessing' as calculating the precise number of annual downtime hours is critical to obtaining the correct level of protection.As revenue is the lifeblood of any organisation, finding this information should be fairly easy. Organisations will usually have a precise knowledge of their turnover, but may have a poorer understanding of their gross margin as a percentage of their turnover. Remember, gross margin equals turnover minus variable charges.

Variable charges include raw materials, subcontracted components, utilities, outsourced services, temporary manpower, etc. Because this gross-earning percentage can easily vary, from 20% in manufacturing or heavily outsourced business to 85% in some services' activities with little sub-contracting and non-HR charges, it is important to give proper consideration to this ratio and achieve a fair assessment.

In addition to these factors, the following costs need to be built into calculating the overall sum insured: data re-establishment to 'intangible' assets, for example, corrupted data/information held on the systems; replacing, restoring or recollecting data that has been corrupted or destroyed by network failure; criminal threat of releasing sensitive information or bringing down the network unless demands are met, including extortion monies; loss of income and extra expenses when the network is interrupted by attack; and covers against criminal hackers, malicious insiders and distributed denial-of-service computer attacks.

Insuring against downtime risk

Mitigating downtime, like the range of risk-transfer solutions, will vary widely based on requirements and perceived risk. It can either be fairly straightforward or very complex. Network security insurance provides financial support to restore data and, in addition, will assist financially with increase costs of working and loss of revenue cover for up to three-months from the original date of loss.

In the event of a loss, some organisations will implement other risk-mitigation mechanisms such as business continuity and disaster recovery programmes. Network security insurance complements these plans by covering activation and usage costs as well as providing financial support for loss of revenue due to a denial-of-service attack. It can also cover PR costs to re-establish the firm's brand and reputation.

An increasingly mobile workforce using technology is creating risk exposures for businesses. In a recent survey of over 200 chief risk officers from across the globe conducted by the Economist Intelligence Unit and supported by ACE, well over 70% saw the increase in wireless and mobile applications as a threat and more than 55% were concerned about remote working.

Security experts expect threats to mount as mobile devices become as capable as laptops and as hackers start to exploit the developer kits that accompany mobile operating systems.

While many experts suggest that the first wave of mobile-device attacks will not be seen until 2006, all of the main antivirus and security management vendors already sell mobile versions of their products - possibly playing on paranoia but also giving security managers a rare opportunity to gain a head start over hackers.

Businesses need to maintain their competitive advantage and technology is the enabler. However, to ignore the risks and potential exposures is a distinct disadvantage.

CHECK LIST

Key processes to understanding an organisation's operational dependency on its computer/telecommunications network:

- Process accounting functions, produce invoices

- Automated stock control

- Automated manufacturing and production lines

- Process and tracking orders

- 'Paperless' offices; storage of documentation, plans and designs

- Run telecommunications, security/closed-circuit television facilities

- Update client, customer patient files

- Cash and credit-card transactions.