Safety Net Featured

9:40am EDT July 22, 2002

While e-commerce is growing exponentially, little attention is being given to the new and expanding risks of doing business on the Net.

Moreover, these new risks are not generally covered by a company’s standard insurance program.

In early February, some of the most well-known Internet sites, including those of Yahoo! Inc., Amazon.com Inc. and eBay Inc., were hit with denial of service attacks that closed down their systems for several hours by blocking access to legitimate users and customers. It has been reported that Yahoo! lost $500,000 due to the attacks.

Internet retailer CD Universe, an online seller of compact discs, was infiltrated by a hacker who stole the credit card numbers of 300,000 customers. The hacker threatened to post 100,000 credit card numbers on the Internet unless the company paid him $100,000.

CD Universe refused, and the hacker posted 25,000 numbers. While a credit card holder is generally only liable for the first $50 of fraudulent credit card use, the credit card issuer incurs the remaining loss. Cardholders are unlikely to sue for $50, but it is conceivable that a card issuer may sue a company such as CD Universe, alleging its loss was caused by the company’s negligence in maintaining security for its Web site.

Despite the growth and pervasiveness of e-commerce, the losses outlined are not covered under a company’s standard insurance program because there has been no triggering event or property damage or bodily injury. The negligent or intentional insertion of a malicious virus into a computer system causes neither property damage nor bodily injury. As a result of this coverage gap, the insurance industry has recently responded with several new insurance policies to cover cyber risks.

Several policies provide coverage (legal fees and amounts for settlement or judgments) for the insured’s liability to others for claims arising out of Internet activities such as maintaining a Web site and programming and maintaining software. A few policies cover lost profits when a site is disrupted or shut down by a hacker or denial of service attack. Such policies also cover the costs to restore, reconstruct or repurchase the corrupted software.

The most comprehensive coverage, offered by four major insurance companies, is called NetSecure. This policy covers claims made against the insured rising out of Internet activities, as well as lost profits when the system is hacked or corrupted by a virus. In addition, NetSecure covers claims arising out of the content on a site, including claims alleging infringement of copyright and trademark; invasion of privacy; libel and slander; plagiarism; and a claim that the insured took insufficient measures to protect the data of others (e.g. customers’ credit card numbers) from a hacker.

Cyber risks are growing as fast as e-commerce. Companies involved in e-commerce should seriously assess the cyber risks they face, then decide upon the most appropriate and cost-effective manner of managing such risks.

How to reach: Marsh USA Inc., www.marshweb.com

Geoff Fallon (Geoffrey.D.Fallon@marshmc.com) is with the Columbus office of Marsh and leads the financial and professional practice for the Great Lakes region of the insurance broker. His more comprehensive article on cyber losses and cyber coverage may be obtained at no charge by calling Marsh at 460-8100.