Survey Reveals Business Not Prepared for E-Risks

July 31, 2000

A new survey reveals many of the nation’s largest employers are not prepared to handle e-commerce and e-communication risks. From dot.com companies to brick-and-mortar businesses using the Internet to dispense information or sell products, few employers have implemented the type of comprehensive e-risk management program that can limit electronic exposures and reduce e-liability. As a result, many employers can expect to spend six- to seven-figures recovering from e-disasters.

Among the most common and costly e-risks facing the business community: (1) business interruptions caused by hackers, cyber-thieves, viruses, and internal saboteurs; (2) six-figure litigation costs and million-dollar settlements stemming from employees’ inappropriate e-mail and Internet use; (3) claims that products or services advertised on the Web fail to deliver; (4) Web-related copyright and trademark lawsuits; and (5) patent infringement claims with defense costs averaging $1 million and judgments running into the hundreds of millions of dollars.

Employers eager to reduce—and in some cases eliminate—costly e-liabilities should implement effective e-risk management programs combining preventive computer security tools with comprehensive e-insurance policies designed to mitigate damages after e-disaster strikes.

So note the cyberinsurance experts at Assurex International, the world’s largest privately held commercial insurance brokerage group, and sponsor of the May 2000 E-Risk Survey. The survey, conducted for Assurex by the Human Resource Institute (HRI) of Eckerd College in Florida, involved Fortune 500 companies and national associations.

The Assurex E-Risk Survey reveals many employers are doing a good job with basic prevention: installing monitoring, filtering, and anti-virus software; adding firewalls and encryption programs; and educating employees about hackers. Few US businesses, however, have purchased e-insurance products to mitigate e-risks and reduce liability costs after e-disaster strikes.

A serious oversight, given FBI statistics that peg computer losses at $10 billion a year, thanks to hackers and other cybercriminals. Specifically, the Assurex E-Risk Survey reveals more than 21% of large employers’ systems have been hacked by outsiders, with 15% reporting hacker attacks that resulted in business interruptions lasting two hours to two days. Another 40% have experienced an increase in attacks over time. Ironically, while nearly 73% of employers are concerned enough about hackers to implement employee education programs, few have taken steps to reduce the costs (including lost productivity and revenues) associated with hacker attacks.

Business Interruption insurance policies are held by fewer than 24% of businesses. Only 18% have Crime Loss insurance. Under 13% of employers have Unauthorized Access, Unauthorized Use insurance. Fewer that 6% have Crisis Communications insurance to cover PR costs following e-disasters. And not even 2% have Extortion and Reward insurance to cover costs associated with cyber-terrorism.

Assurex President and CEO Thomas W. Harvey notes that Unauthorized Access, Unauthorized Use insurance and Business Interruption iInsurance, particularly, should be considered by any organization with an Internet presence.

“If industry giants like Yahoo, eBay, and Amazon.com can be hacked, if government institutions like the Air Force and Navy can be cracked, if high-security installations like the Pentagon can be infiltrated by hackers 250,000 times a year, how can the average company expect to be safe from cyber-attacks?” Harvey asked.

“Employers who think they can protect their assets simply by installing anti-virus software (98% of respondents), firewalls (96%), and encryption programs (69%) are kidding themselves. Computer security is just one part of the e-risk-management solution. Employers who want to be in business tomorrow must take control of their e-risks today, by purchasing e-insurance policies to reduce first-party losses and limit third-party claims.”

Another surprising survey finding involved employee misuse of corporate e-mail. Over 27% of large companies have defended themselves against claims of sexual harassment resulting from inappropriate e-mail and/or Internet use. No surprise, then, that 60% of employers monitor employee e-mail, 80% keep an eye on employee Internet use, and 93% have written policies governing employees’ Internet and e-mail use.

Those steps, part of a comprehensive e-risk management program, are good. Alone, however, they do not offer adequate protection against liability, according to the Assurex e-insurance experts.

“Any organization that has a corporate e-mail system is at risk,” Harvey said. “All it takes is one inappropriate or off-color e-mail message to trigger a lawsuit. Employment Practices Liability Insurance, which protects employers from workers’ claims of discrimination or wrongful termination based on race, sex, age, or disability, is a must for any employer who grants e-mail access to employees.”

As the Love Bug and Melissa viruses have demonstrated, a computer virus can interrupt business, drain revenues, and destroy credibility. Not surprisingly, more than 98% of employers surveyed have installed anti-virus software. Fewer than 13%, however, have purchased Computer Virus Transmission Insurance. That leaves 87% of companies woefully ill-prepared to recover from a potentially devastating virus attack.

“Where anti-virus software, e-mail attachment policies, and other preventive measures sometimes fail, Computer Virus Transmission Insurance succeeds,” noted Harvey. “Regardless of how a bug enters a system, Computer Virus Transmission Insurance helps cover the cost to restore the system to good health.” Overall, employers are not yet taking full advantage of the protections offered by many e-insurance products.

The Fortune 500 companies and associations surveyed report owning the following e-insurance products: Electronic Data Processing Insurance that extends beyond general business liability policies (14%); Specialized Network Security Insurance (17%); Media Liability Insurance (22%); Patent Infringement Insurance (27%); Computer Software and Services Errors & Omissions Insurance (31%); Product Liability Insurance (42%); and Director’s and Officer’s Insurance (53%).

Was this article valuable?

Here are more articles you may enjoy.