Geoffrey Fallon

Monday, 22 July 2002 09:40

Safety Net

While e-commerce is growing exponentially, little attention is being given to the new and expanding risks of doing business on the Net.

Moreover, these new risks are not generally covered by a company’s standard insurance program.

In early February, some of the most well-known Internet sites, including those of Yahoo! Inc., Inc. and eBay Inc., were hit with denial of service attacks that closed down their systems for several hours by blocking access to legitimate users and customers. It has been reported that Yahoo! lost $500,000 due to the attacks.

Internet retailer CD Universe, an online seller of compact discs, was infiltrated by a hacker who stole the credit card numbers of 300,000 customers. The hacker threatened to post 100,000 credit card numbers on the Internet unless the company paid him $100,000.

CD Universe refused, and the hacker posted 25,000 numbers. While a credit card holder is generally only liable for the first $50 of fraudulent credit card use, the credit card issuer incurs the remaining loss. Cardholders are unlikely to sue for $50, but it is conceivable that a card issuer may sue a company such as CD Universe, alleging its loss was caused by the company’s negligence in maintaining security for its Web site.

Despite the growth and pervasiveness of e-commerce, the losses outlined are not covered under a company’s standard insurance program because there has been no triggering event or property damage or bodily injury. The negligent or intentional insertion of a malicious virus into a computer system causes neither property damage nor bodily injury. As a result of this coverage gap, the insurance industry has recently responded with several new insurance policies to cover cyber risks.

Several policies provide coverage (legal fees and amounts for settlement or judgments) for the insured’s liability to others for claims arising out of Internet activities such as maintaining a Web site and programming and maintaining software. A few policies cover lost profits when a site is disrupted or shut down by a hacker or denial of service attack. Such policies also cover the costs to restore, reconstruct or repurchase the corrupted software.

The most comprehensive coverage, offered by four major insurance companies, is called NetSecure. This policy covers claims made against the insured rising out of Internet activities, as well as lost profits when the system is hacked or corrupted by a virus. In addition, NetSecure covers claims arising out of the content on a site, including claims alleging infringement of copyright and trademark; invasion of privacy; libel and slander; plagiarism; and a claim that the insured took insufficient measures to protect the data of others (e.g. customers’ credit card numbers) from a hacker.

Cyber risks are growing as fast as e-commerce. Companies involved in e-commerce should seriously assess the cyber risks they face, then decide upon the most appropriate and cost-effective manner of managing such risks.

How to reach: Marsh USA Inc.,

Geoff Fallon ( is with the Columbus office of Marsh and leads the financial and professional practice for the Great Lakes region of the insurance broker. His more comprehensive article on cyber losses and cyber coverage may be obtained at no charge by calling Marsh at 460-8100.

Monday, 22 July 2002 09:58

Who needs Y2K insurance? You might.

This is not another doom-and-gloom forecast of how the Y2K problem, or millennium bug, will cause the world to end Jan. 1, 2000. Rather, it addresses a major question: If damages result from the Y2K problem, will insurance companies pay the resulting claims?

Staking your claim

The answer seems to be yes, maybe and no. That’s because there are three types of claims, including:

  • Claims for loss of revenues and profits if a business cannot function. This type would not be covered by regular property or business interruption insurance policies. Therefore, a loss that results from computers shutting down probably would not be covered under current policies.

  • Claims for damages by third parties harmed by products that fail or services that cease to be delivered. If a medical device such as a ventilator fails, for example, this could cause serious injury and be life threatening. A liability lawsuit in this instance should be covered, unless insurers add an exclusion to existing policy language.

  • Claims against companies that have financial problems resulting from Y2K noncompliance. These might come from shareholders who feel that stock prices decreased because company management was not proactive in addressing the Y2K issue. This type of claim would normally fall under a directors and officers liability policy, which protects senior management from claims for economic damages as the result of mismanagement and poor decision making.

Unless insurers specifically add exclusions to such policies, these coverages should respond to claims resulting from alleged Y2K mismanagement.

Taking action

So what can a company do? What can you expect insurers to do?

  • Protect any existing coverage. Insurers are asking businesses to complete Y2K questionnaires so they can decide whether existing coverage should apply to Y2K risks or if they should add Y2K exclusions. Policyholders must take action to prevent an exclusion from appearing on their policies.

  • Don’t complete every questionnaire received. Some ask unanswerable questions or require listing every piece of equipment a firm owns or uses. Others state they are warrantees that will be attached to the policy itself. Therefore, if a mistake is made on the questionnaire, coverage for a claim could be voided.

  • Prepare a description of your Y2K plan. Include the scope of the problem within the organization, the plan for remediation, the resources dedicated to the plan, time frames and progress to date. If insurers balk at accepting the description, offer to review it verbally (in person or by conference call) to answer questions.

  • Consider additional coverage. Several new insurance products have been introduced specifically to protect organizations from Y2K claims. Companies should work with their insurance brokers or consultants to determine if these should be considered.

  • Review the insurance implications of using Y2K consultants. Companies that use them must assess the consultants’ insurance coverage. Companies should ask suppliers that manufacture products with computer chips about their Y2K remediation efforts and insurance coverage. If consultants or manufacturers contribute to a firm’s Y2K problems, their ability to help if a loss occurs may be limited to the valid and collectable insurance they have.

In looking ahead to 2000, there is the possibility that disputes over claims resulting from the millennium bug could wreak havoc on a firm’s ability to protect itself from lawsuits or recover for business interruption claims. Firms should proactively address these issues with insurers now, before losses occur, and position themselves for maximum protection in the event the worst case becomes reality.

Geoffrey D. Fallon is a vice president with the Columbus office of J&H Marsh & McLennan, an international insurance and risk management consulting firm. He can be reached at 461-6400.