In the increasingly competitive hacker insurance market, American International Group is making an offer it hopes prospective clients wont refuse — a free, comprehensive security assessment.
AIG, the largest commercial insurance underwriter in the U.S., hopes the free on-site security check — which ordinarily can cost tens of thousands of dollars — will encourage more companies to buy insurance coverage from it. AIG is one of the biggest players in a swarm of underwriters and brokers that are rushing into the hacker insurance market, a sector that the Insurance Information Institute estimates could generate $2.5 billion in annual premiums by 2005.
The insurers sales efforts are being aided by highly publicized events such as the assault on Microsofts Web site in January and the more recent "Anna Kournikova" worm that tied up mail servers around the world. Insurance industry officials said their business is doubling every six to 12 months, as worries about hacking increase and more information technology professionals realize their companies standard insurance policies dont cover risks incurred by their Internet-based businesses.
"People arent used to spending money on this," said Ty Sagalow, chief operating officer at AIG eBusiness Risk Solutions. "The cost of the insurance application [in the past] included — for almost everyone — an on-site security assessment that would cost upward of $20,000, whether you bought the insurance or not."
To help convince qualified prospects — applicants must be seeking $5 million or more in coverage — to buy insurance, AIG will pay independent security firms Global Integrity and Unisys to do the on-site assessments. The firms will do external probes and "ethical hacking" of a prospects Web site, as well as perform a two-day, on-site analysis to determine what types of security problems the company faces.
At the end of the assessment, if a prospect decides not to buy AIGs coverage, the company can "keep the security report and assessments as AIGs gift," Sagalow said.
Although AIGs assessment is free, some competitors expressed skepticism. John Wurzler, chief executive and founder of J.S. Wurzler Underwriting Managers, which specializes in Internet-related risks, said AIGs offer may create a false sense of security among insurance buyers.
"Security is not a product; its a process," Wurzler said. He requires the companies that his firm insures to do monthly security checkups.
Companies interested in hacker insurance can buy coverage either as a package or à la carte. Some policies only pay for risks associated with loss or misuse of intellectual property. Others cover liability for misuse of a companys site by a third party, or damage caused by an outside hacker.
Premiums are generally based on a companys revenue, as well as the type and amount of coverage being sought. Rates vary. A package policy that covers a range of risks, including liability, loss of revenue, errors and omissions, and virus protection, can cost $6,000 to $20,000 per year — or more — for each million dollars of coverage in the policy.
Given the range of costs and coverage, industry officials warn potential buyers to be wary. Some policies cover only the amount of net income lost due to hacking. A better choice for some companies may be coverage for lost revenue.
Numerous variables can affect premiums. Just as a buyer of auto insurance can choose a high dollar deductible to lower the premium, hacker insurance buyers can choose different waiting periods before coverage begins. For instance, a policy that begins paying for business losses just four hours after a hacker shuts down a site may cost more than a policy that begins paying after 24 hours of downtime. These waiting periods, called time element deductibles, are variable and depend on the kind of business being covered and the amount of risk a business may face.
Companies can also get substantial discounts on their policies if they have managed service contracts with an insurer-certified security firm.
Security assessments are critically important for both insurers and insurance buyers. Hacker insurance is such a new product that there are no reliable actuarial tables to determine rates. Therefore, insurance companies rely heavily on the assessments to help them determine the amount of risk they are taking on with a given company.
For the companies seeking insurance, assessments should help them find — and immediately fix — holes in their defense systems.
Underwriters competing with AIG — the Chubb Group, Fidelity and Deposit Companies, St. Paul Companies, Lloyds of London and Wurzler — are rolling out a fleet of new products and alliances to help them gain market share.
Chubb recently announced new coverages designed for online banks, brokerages and insurance companies. Wurzler has joined with Hewlett-Packard to market its products to a select group of HPs clients.
Insurance brokers and security firms are teaming up to sell branded products and services.
Marsh & McClennan Companies, the worlds largest insurance brokerage, is selling insurance provided by AIG, Chubb and Lloyds. The brokerage relies on Internet Security Systems to do its security assessments. Counterpane Internet Security has allied with brokers Safeonline and Frank Crystal & Co. to provide its clients with special policies underwritten by Lloyds.
"Its a wildly growing market," said Michael S. Flanagan, managing director at Silicon Insurance, a division of broker Arthur J. Gallagher & Co. Gallagher relies on accounting giant Ernst & Young for security assessments, and its primary underwriters are AIG, Fidelity and Deposit and Wurzler.
Hacker insurance has "been a small market because people were waiting for e-commerce to hit," Flanagan said. "Well, now e-commerce has hit."
Flanagan and other insurers are finding a ready market for their products because companies with Internet operations are increasingly under attack.
A survey done last year by the Federal Bureau of Investigation and the Computer Security Institute, an association of computer security personnel from the private and public sectors, found that from March 1999 to March 2000, 27 percent of the 640 governmental agencies and businesses that responded said they experienced denial-of-service attacks. Viruses are also wreaking havoc. Losses from last years "Love Bug" virus were estimated to be as high as $10 billion.
AIGs move to lower the cost of obtaining hacker insurance shows the market is beginning to mature, industry experts said. And security analysts hope it will encourage more Net companies to get insurance coverage.
Companies need to "understand that getting hacked is not just an inconvenience," said Greg Grant, director of marketing programs and strategic alliances at ISS.
"Anything Internet-facing is a point of vulnerability. Companies can be attacked directly or they can be used to attack someone else. Theres real exposure and liability. They need to reduce their risk, and the only way to do that is through proper insurance," he said.