Watch Your Step

By eweek  |  Posted 2001-02-26

Watch Your Step

Ohms Law. Moores Law. Parkinsons Law. Theyre all critical to running a high-technology enterprise. But the most important law, by far, when it comes to ensuring the long-term success of a solutions provider, is Murphys Law. Assume, as a matter of course, that on any given customer engagement, everything that can go wrong, will go wrong.

Skeptical? Consider the classic case of McDonnell Douglas and its ill-fated systems integration pact with a now-defunct New Jersey wholesaler, Kane Carpet. It was just a routine $300,000 project, calling for the installation of an inventory control system. But the system broke down, Kanes frustrated customers defected and the 60-year-old carpet company went out of business in a matter of months. Kanes resulting tort claim, which alleged that the vendor fraudulently misrepresented the system, sought millions in collateral damages and dragged through the courts for years. In the end, only the lawyers won.

"Every time you take on a new project, you take on huge liabilities that go far beyond [what is covered] under the limited scope of your engagement contract," says Jack Wagner, managing director of the high-tech team at Summit Global Partners, a risk management consultancy and insurance underwriter.

Confronting Murphys Law requires a total, companywide risk management effort, encompassing everything from good hiring practices, to solid engagement methodologies, to airtight client contracts. But all those internal steps are still not enough to shield you from catastrophe. To truly guard against a fatal disaster, you must make one final, necessary trip—now dont all groan at once—to a reputable insurance firm.

The perils of e-biz contracting—where 75 percent of projects are said to fail, the threats to Internet security and privacy are growing, and the litigiousness of shareholders is increasing—are among the many reasons to dig down into your wallet for some extra protection.

Two general suggestions before you embark on the quest for the perfect policy: Dont buy generic insurance; it offers virtually no protection against the specific ills that can befall a high-tech company. And dont sign on any dotted lines without expert guidance from a lawyer and a high-tech specialty underwriter.

That said, heres a guide to the various types of high-tech insurance on the market:

The Broad Brush

The Broad Brush "Errors & Omissions" (E&O) insurance, which protects against any litigation threat that extends beyond the value of the customer contract itself, is as essential to a professional-services provider as flood insurance to a Mississippi Delta homeowner. Even more so, in fact.

The homeowner only stands to lose a home and its contents, while a small solutions provider who gives bad advice or oversees a runaway project may be liable for many times the asset value of his or her company.

John Wurzler, whose firm, Wurzler Underwriting Managers, offers a "media technology and professional liability" policy geared to IT solutions providers, says the problem with off-the-shelf E&O insurance is that it excludes practically every type of liability exposure commonly encountered in consulting/systems integration engagements.

"More and more [integrators] are buying specialty blanket coverage of their entire IT exposure," says Wurzler, whose clients include Hewlett-Packard, IBM, and Symantec.

A good high-tech E&O policy, says Summits Wagner, at minimum should negotiate around the standard contractual liability exclusion that effectively indemnifies the insurance carrier against all liabilities. Wagner suggests your E&O policy should have language that excludes coverage only to the extent that the liability "would not have arisen absent the contract."

In other words, if your client claims that your custom application failed and caused damage to its business, the insurance carrier will no doubt argue that the performance of the software is covered in the original sales contract and will use the existence of that contract as the basis for denying coverage. But if your E&O policy specifies coverage of all claims that would have been made in the absence of a contract, then the above-mentioned application failure would be fully covered.

Ted Doolittle, the manager of Internet E&O at Carpenter Moore Insurance Services, says a standard E&O policy also is likely to contain liability exclusions for unauthorized system access, "advertising injury" (injuries to other parties stemming from incorrect or misleading information on your Web site), fraudulent acts by your employees and electrical failures.

"What you want to do wherever possible is amend this preamble language to make it more favorable to you," Doolittle advises. "For example, with electrical power failures, you could narrow the exclusion from charges arising out of to charges for. … Thats a significant difference in your level of liability exposure."

You may be able to buy E&O coverage for specific contracts, but blanket coverage is a lot less expensive. Plus, insurers hate issuing policies for individual engagements. One reason, Doolittle explains, is the threat of ancillary suits from customers on similar projects.

Prices for blanket E&O coverage vary widely—anywhere from $5,000 to upward of $50,000 a year for $1 million in coverage. How much coverage should you take? Experts say thats a function of your balance sheet, your previous job performance, your level of confidence in tackling difficult projects and your faith in your people. But a $50 million integrator probably shouldnt hang a shingle without at least $5 million in E&O insurance.

Another staple for solution providers is so-called "crime" insurance, which shields you from liabil- ity stemming from the illegal actions of your employees. An example, says Wurzler, would be a member of the integrators project team who surreptitiously builds a backdoor into the customers system and uses it to steal credit-card data. If that theft seriously damages the customer, the integrators liability could be enormous.

Wurzler says a stand-alone crime policy typically is priced at about $10,000 for $1 million in coverage. But if bundled into an E&O policy, he adds, you can get that crime protection for roughly $2,500.

Completion bonds, similar to those that underlie all big-budget motion pictures, are finding their way into the high-tech industry. That type of insurance usually is demanded by the customer—often government agencies—and paid for by the vendor. Its growing popularity is a function of the complexity of e-business projects; the inexperience and incompetence of some solutions providers; and, now, the threat of insolvency that dogs an increasing number of e-services firms.

And finally, some ASPs and ISPs are buying protection against suits stemming from their failure to meet their contractual service level agreements (SLA). Although all contracts specify remedies—monetary penalties, damages, right to terminate clauses, etc.—Wurzler notes that the contract SLA provisions are sometimes "too weak," and vendors seek out added peace of mind.

"This is not a cookie-cutter business," says Wurzler. "Every warranty program we create for a company is different."

D&O, Not "Doh!" Professional liability insurance, however, protects only the firm against losses due to poor performance or malfeasance. It does nothing to insulate the officers and directors of a company from the threat of a lawsuit; a threat that is all too real these days, as angry shareholders react to the continuing meltdown in their high-tech portfolios.

"Where professional liability coverage slips off, director and officers [D&O] coverage picks up," notes Madelyn Flannagan, VP of research and education at the Independent Insurance Agents of America, a national trade association. She recommends that every public and privately held company that has a board of directors invest in D&O coverage.

D&O insurance covers directors and officers of a company that is accused of financial shenanigans, such as fraudulent earnings reports or illegal employment practices, including age and race discrimination. The insurer will pay the legal defense costs and most—if not all—of the settlement or jury award if the suit eventually goes to trial.

D&O insurance offers another major benefit. It helps firms, especially startups, attract good people to serve on their boards, says Robert John Wekselblatt, an insurance broker in San Francisco. Many experienced business people, especially those with substantial personal assets, wont join a board unless the company indemnifies them against claims.

While the most frequent claims covered by D&O insurance relate to employment practices, shareholder complaints represent the greatest threat in dollars, says attorney Robert Suomala, vice chairman of the American Bar Associations D&O liability committee.

Indeed, a Towers Perrin survey found that the average size of a shareholder D&O liability claim award rose to a record $8.7 million in 1999, while employee claims cost an average of only $306,000. Shareholder claims were the more common among publicly traded companies, while employee claims accounted for most of the activity at privately held firms. Overall, D&O premiums are declining, except in the high-tech and biotech industries, where D&O rates continue to rise.

Companies now pay about $250,000 to $275,000 for $5 million worth of coverage, up from $200,000 a year ago, says a broker at American International Group, a major high-tech insurance carrier. He attributes the increase in premiums to the rise in lawsuits, which typically take about three years to snake through the system, from filing, to judgment, to setting the new policy premium. After the initial $5 million coverage, rates drop about 20 percent for additional $5 million increments.

How much coverage do you require? "As much as you can afford," advises Tony Galban, VP of D&O underwriting at Chubb Executive Risk. The number of securities claims that settled for a cash payment rose almost 40 percent in 2000 to 156 from 112 the previous year, and the total value of those claims more than doubled to $4.47 billion, according to Galban.

Tech companies, whose stocks tend to be extremely volatile, and which often use stock swaps to accomplish mergers and acquisitions, are a favorite target for shareholder suits.

Other insurance experts suggest buying D&O coverage equal to about 5 percent to 10 percent of a companys total market capitalization. In no case, they say, should you have less than $1 million in D&O coverage.

Other considerations in buying D&O insurance include the claims experience of similar companies, the financial health of the insurer and the exclusions in the policy. Situations not usually covered by standard D&O policies include lawsuits brought by one director against another and insider trading allegations.

Secure Your Battle Stations

Secure Your Battle Stations Network security, unlike errors and omissions, or acts of God, is an intensely competitive endeavor. Intelligent minds are out there, actively seeking out and exploiting your vulnerabilities. And, as you take intelligent steps to reduce your exposure, they come up with countermeasures. Meanwhile, the potential for loss from a security breach can cripple your business.

The insurance industry is only just beginning to delve into the realm of network security, but as a solutions provider or an end customer, you need to look seriously at transferring at least some of your security risk to an insurance carrier.

Matthew Kovar, an analyst at The Yankee Group, argues that a "CIO who does not move to insure against hackers probably doesnt really have a good sense of what is at risk and, in my opinion, is probably not doing his job."

Before buying any kind of policy, do an assessment of the type and magnitude of your particular security risk. That will tell you where to focus your insurance coverage and how much of it you need. The easiest potential costs to assess are immediate losses of revenue. Cash flow stemming from Web-based transactions is clearly at risk. Disruption of internal IT resources due to denial-of-service (DoS) attacks and corrupted or deleted data also falls under that category. Those costs may be more difficult to estimate, but in many cases may represent a bigger financial loss. Most recent viruses, for example, have done most of their damage by disrupting e-mail service.

The aftermath of a DoS attack can prove at least as costly as the attack itself, and such costs can be difficult to quantify. Post-attack response, recovery and forensics are expensive, both in terms of person-hours and IT service disruption. It may take considerable time and effort after an attack to determine whether sensitive intellectual property has been stolen or corrupted, and even more to pursue legal recourse if it has been. A successful attack—particularly one which includes theft of sensitive information—may be followed by an extortion attempt. A public attack can damage your companys reputation and brand identity to an extent that dwarfs the tangible costs.

Greg Grant, director of marketing programs and strategic alliances at Internet Security Systems Inc., believes that "damage to third parties is probably the most overlooked cost of security breaches." Such a breach may result in widely different kinds of third-party liability, some of which may be trivial to assess and others wholly speculative. The costs of a violated SLA or fraudulent credit-card transactions, for example, are readily predictable and may be spelled out in a contract. However, liability for damage caused to third-party networks—whether caused by employees or as part of an attack by an outsider—can be extremely difficult to predict.

As the insurance industry hasnt established standard procedures in that area, there are no reliable industrywide statistics on damages from security breaches and nothing from which insurers can create usable actuarial tables. As a result, the process of selecting the scope of coverage and setting premiums is generally accomplished on a company-by-company basis.

Most insurers rely upon a thorough and extensive security audit by outside experts to determine your policy eligibility and premiums, but differ a great deal on specific requirements and the weight placed on different elements of the assessment. Others look only at specific measures as an indicator of overall security posture.

For example, according to Jon Callas, director of engineering at Counterpane Internet Security, "Lloyds [of London] looks at our customers the way health-insurance companies look at nonsmokers. They assume that someone who cares enough about security to hire us is going to be pretty much on the ball."

No matter what your insurer requires, hire an independent firm to do a thorough audit of your entire company before settling on a specific policy. Avoid relying entirely on the insurers internal auditors. Without specific information on your businesss strengths and weaknesses, youre at the mercy of the insurer when it comes time to select appropriate coverage.

"A CIO who buys without identifying the specific risks is likely to end up underinsured where its risk is greatest, and overinsured where its least," warns Kovar of The Yankee Group.

Set aside time and resources to implement the auditors recommendations, retaining the auditor as a consultant or bringing in a second firm, if possible. Schedule regular audits to update your self-assessment, and continue to implement new recommendations as they come up. Aside from the obvious security benefits, that allows a firm to avoid insuring risks that can be reduced or eliminated with relatively cheap policy or technology solutions.

Indeed, most insurers will offer sizable discounts to customers who take active steps to improve their security postures. "We help insurers by reducing the buyers vulnerability and improving the quality of their portfolio," says Jeff Louie, worldwide marketing manager for Hewlett-Packards Mission Critical Services Organization. "The insurer can then, in turn, reduce their premiums." John Wurzler, of Wurzler Underwriting Managers, concurs. "Good security practices can make the difference between a $20,000 premium and a $7,000 premium. If the customer takes extraordinary measures, so will I. If theyve got 24 x 7 monitoring of their servers and firewalls, I might be able to give [them] an 80 percent discount."

Because policies are so heavily customized, its important to be very clear as to what is covered and what is not. Does your policy cover losses in revenue or only net profits? What about recovery costs? Is your extranet covered, as well as your intranet? Remotely connected machines? Are you covered for third-party liability? What if one of your employees attacks a partners network? Will they offer bounties for stolen credit-card numbers? Will they cover your legal costs? Can you qualify your partners for their own coverage? The appropriate combination of policy terms will depend entirely on your companys specifics, so take great care.

"The thing that executives need to understand most is that its their necks on the line here," warns Kovar, addressing the need for every type of high-tech insurance. "In the end, they are going to be held personally liable for failure to conduct due diligence if theyre not addressing these issues. If they think they can hide behind a corporate veil, theyre going to be in for a big surprise."

Rocket Fuel