Chubb Executive Urges Cooperation Between IT and Risk Management Depts.

August 1, 2002

An executive with a leading commercial insurer is urging information technology departments to share information regarding attacks on corporate Web sites and computer networks with risk managers and insurers.

Without knowing the full extent and nature of these attacks, he said the insurance industry would not be able to develop products that are essential to helping protect businesses from the potentially significant operational and financial consequences of a wide-scale or targeted cyber attack.

“Many of you probably have not met your company’s risk manager,” said Alan Driscoll, senior vice president of Chubb & Son. “Not only can he or she help prevent IT-related losses throughout the enterprise, he or she also is your company’s direct link to the insurance industry. Your job and your company’s well-being may depend on whether the industry can provide the financial backstop should state-of-the-art information security products fail to defend the enterprise against a cyber attack.” Driscoll heads the risk management group in Chubb Commercial Insurance.

He warned that IT security tools aren’t a full-proof way of keeping hackers away from corporate and government Web sites and networks. He noted that a story in a recent issue of BusinessWeek, “Cybersecurity’s Leaky Dikes,” concludes that “Increasingly, high-level assailants are finding ways to camouflage their cyber attacks” and breach conventional security. One CTO told the magazine, “The systems we are trying to protect are becoming so complex that we’re all losing ground.” As a result, the number of security incidents appears to have doubled in the past year alone, according to the article.

“Insurance offers businesses an effective way to fill the risk gap that exists between the latest and greatest tech security tools and the smartest and most devious tech intruders,” warned Driscoll. Yet, he said the development of cyber insurance products has been slow thus far due to the lack of cyber loss data. Unable to model cyber loss potential, insurers are unable to underwrite or price appropriate insurance products. Nor can reinsurers provide the capacity necessary to enable insurers to take on substantial amounts of cyber exposures.

Only a relatively small number of insurers have put cyber products on the marketplace, and most do not address adequately-if at all-the severest cyber perils, said Driscoll. “Chubb is one of the few companies actually providing financial protection against cyber-related business interruption losses, extortion and thefts. And even in Chubb’s case, we typically are not providing that solution to all our commercial customers, but mainly to our financial institutional customers, because they represent a very distinct group with substantial e- commerce experience and regulation.

“I’m sorry, but the marketing-related exposures of running a Web site, such as intellectual property infringements and libel and slander, in many cases, don’t compare to a thief or terrorist shutting down all or part of your business by invading your cyberspace.”

Some insurers’ marketing efforts and inaccurate news reports have exacerbated the problem. “The other day I read a news wire story about an insurance product that enables companies to help protect their customers from the costs of identify theft. That was wrong: It protects companies when customers sue them for loss of their identity due to a Web site break-in,” said Driscoll. “The marketing campaigns, and in some cases, the accuracy of the reporting are unfortunately obscuring the real issues here.”

Driscoll said the industry needs more information about the risks to be able to develop the actuarial tables to price products that would provide substantial cyber risk protection. By passing along security-related information to risk managers, IT managers can help speed up insurers’ product development efforts.

Insurers, including Chubb, have been working with federal officials to encourage cyber threat and incident information sharing among businesses through industry groups and between businesses and the government. Anti-trust laws, privacy concerns and fear of reputational damage if the information were leaked publicly have hampered such efforts.

Was this article valuable?

Here are more articles you may enjoy.