Call it the perfect storm for cybercoverage. The insurance industry has been rocked by gargantuan losses from the Sept. 11 terrorist attacks, the destructive Code Red and Nimda worms, low returns on investments and several large IT-related losses. Together, these factors will likely mean dramatically higher premiums for I-managers trying to insure their operations against hackers, worms and other risks.
Insuretrust.com, a cyberinsurance underwriter, is raising premiums on its network security policies by 20 percent or more. Insurance carrier Chubb Group is raising rates on its IT-related errors and omissions policies by as much as 40 percent. Zurich Surety and Financial Enterprises, another major carrier, also expects to raise rates, but would not quantify the increases.
“Virtually everything is going up. There isnt any line of commercial insurance that isnt looking at an increase,” said Emily Freeman, practice leader for e-business risk solutions and senior vice president of Marsh, an MMC Company and Americas largest insurance broker.
The Sept. 11 terrorist attacks, which may cost insurers up to $40 billion, will further weaken an already ailing industry. Fewer reinsurers will share the risk borne by insurance carriers, shrinking the supply of available coverage. That will almost certainly result in upward pricing pressure on cyberinsurance – a market the Insurance Information Institute estimates could generate $2.5 billion in annual premiums by 2005.
“This is the toddler stage of a hard market,” said Brian Brown, Zurich Suretys regional manager for e -business solutions. Large reinsurers were skittish about cyber-risk coverage long before global networks were rocked by the Code Red and Nimda worms. And the reinsurers continue to fear that all of their cyber-risk clients could get hit by worms – and file claims – at the same time. The worms are “potentially an earthquake across the entire Internet. And we underwrite against that,” Brown said.
Insurers are also paying more attention to software. This summer, J.S. Wurzler Underwriting Managers raised premiums by up to 15 percent on clients that use Microsofts Windows NT or Internet Information Server. Wurzler found that system administrators who use open source systems tend to be better trained than those who use Microsoft. Wurzlers stance was bolstered last week when John Pescatore, Gartners research director for Internet security, advised companies that were hit by both the Code Red and Nimda worms to quit using IIS immediately and switch to more secure platforms like Apache.
Another factor driving rates higher are lawsuits against IT companies. In 1994, the state of Mississippi hired systems integrator American Management Systems for a three-year, $11.9 million, tax software contract. The state sued, claiming the company botched the job. Last year, a jury awarded Mississippi $474.5 million, and AMS agreed to settle for $185 million. AMS has also been hit with a $350 million lawsuit by the Federal Retirement Thrift Investment Board, which claims AMS didnt perform on its contract.
Later this year, a $500 million lawsuit against technology consultancy Accenture is expected to go to trial. The suit, brought by trustees for bankrupt drug wholesaler FoxMeyer, alleges Accenture did such shoddy work on a 1995 integration project that FoxMeyer was forced into bankruptcy because it could not fill orders.
Chubb, one of the biggest providers of IT-related errors and omissions coverage, reported that its losses in the sector have increased fivefold in recent years. “A few years ago, big IT contracts were $3 [million] or $4 million. Today, $20 million contracts are routine,” said Timothy Ehrhart, an assistant vice president of Chubb. “The extent of work companies are doing, like enterprisewide integration and custom systems, take longer to develop and install and integrate. And that means theres a greater potential for error.”
While insurance executives acknowledge that premiums are rising, they say I-managers who have well-run IT operations with good security procedures should still be able to get coverage. Operations with marginal security practices may find coverage prohibitively expensive or unavailable.
Insurers are also keenly aware of the renewed potential for cyberterrorism. “As it becomes more difficult for terrorists to knock over buildings, the more likely it is theyll use the Internet for some of their attacks,” said Steve Haase, CEO of Insuretrust. “And thats going to make insurers very cautious.”
The losses on the World Trade Center, the Pentagon and the hijacked jetliners are the industrys largest ever, by several orders of magnitude.
“A huge hole has just been gouged out of companies balance sheets,” a Sept. 17 report on the insurance industry by investment bank Morgan Stanley Dean Witter & Co. said. Some insurance “companies that would not have otherwise been toppled by a large catastrophe probably just cant afford this one.” The report predicts that numerous insurance and reinsurance companies will fail due to the calamities, and the global reinsurance market may shrink by one-third or more.