By Ara Trembly
Like most devoted sports fanatics (thats where we get the word “fan” from), I tend to find joy in anything that boosts the fortunes, or likely fortunes, of my favorite teams.
For example, if, say, future-Hall-of-Fame pitcher Greg Maddux of the Atlanta Braves were to be out for the season with an injury, that would give me–a fan of the hapless New York Mets–cause for hope in the race to win the National League East.
(OK, sports fans, I know my team has been abysmal, but baseball loyalty knows no logic, so dont expect to find that here.)
Of course, no true sports fan wishes such an injury on an opposing player, but when it happens to someone whos a particular nemesis to our club, we sometimes cant help but chuckle a little (heh, heh).
The same holds true with cyber risk insurance, which is generally designed to protect companies against the consequences of hacking, viruses and other types of computer-related threats.
Certainly, insurers dont wish that companies would have their computer systems hacked into or that any losses would be sustained. Yet it must be difficult for carriers who sell cyber risk insurance not to at least crack a smile when a hacking incident–especially a high-profile event–takes place.
After all, such incidents make the case for cyber risk insurance, especially where the victims have no applicable coverage. Each time the media report a security breach that results in loss of money, time or prestige, cyber risk insurers must be silently saying, “See? I told you so.” More importantly, such reports are making potential cyber attack victims sit up and take notice.
Given the obvious increase in reportage of these incidents, is it any wonder that Zurich North America reports that in 2002 it doubled the number of e-risk policies it wrote in 2001? And, as cyber crime continues to increase, would it surprise anyone to know that a cyber risk insurer somewhere is doing a happy, silent little finger dance on the calculator he uses to forecast sales of these policies?
Of course, we could write all this off to the normal ebb and flow of business, except for one disturbing factor. What were talking about here is the building of profits based on criminal behavior in society at large. Ironically, activities such as hacking are creating a booming industry for security vendors and purveyors of cyber risk insurance alike.
Is hacking really that bad in the world of criminal activity? The answer depends on your point of view.
According to Computerworld, organized hacking syndicates are targeting financial institutions around the world, and some of those institutions are willing to pay these criminals “hush money” in order to protect their reputations.
In a real sense, such extortion may become the “organized crime” of the 21st Century. When we consider the “soldiers” of this “mob,” were probably not talking about some footloose teenagers with too much computer knowledge and too much time on their hands.
On the other hand, there are some who engage in hacking for the fun or the thrill of cracking the systems of some “evil” corporation or government. In fact, an entire culture has grown up around hacking. Just visit the Web sites of 2600-The Hacker Quarterly (www.2600.com) or Phrack Magazine (www.phrack.org) and youll find a cornucopia of hacking-related articles, merchandise, videotapes, clothing, etc. They even have their own seminars and trade shows.
Phrack profiles one hacker, named “horizon.” Asked what “drives” him into exploiting bugs in order to hack into systems, horizon states, “I think it comes down to a compulsion to figure all this stuff out.” Ah, youthful curiosity (horizon is in his mid-20s).
Among “memorable experiences,” horizon lists “weekend drinking/hacking/coding sessions” and “almost getting fired from my university job for hacking Microsoft.” Good clean fun, some might say. “Boys will be boys,” others could opine.
Looking at the “young and curious” breed of hackers, one doesnt get a sense of menacing danger. On the other hand, one does get the impression that they wouldnt be terribly upset if a company went down in flames as a result of their hacking activity. Its a curious mixture of “Animal House” and “Black Sunday” (a 1976 thriller about terrorists who try to wipe out the entire crowd at the Super Bowl).
“Hacking is a crime. Whether theyre a cute high-schooler or not, they have committed a crime,” says Barbara Ewing, vice president of e-business solutions underwriting for Zurich North America, who is based in Baltimore.
“Criminals like to copy each other,” she continues. “The more publicity there is, the more people want to do it. A lot of cyber crime is done by people who are doing it for the glory, the bragging rights.”
Its just this set of facts, however, that make this particular crime a win-win for the criminal and for insurers who sell cyber crime policies. Hackers get their jollies and their status boost (at least among the hacking fraternity), and carriers get marketing material for their cyber risk insurance sales efforts.
“It creates a need, yes,” says Ewing of the increase in hacking incidents. “But we dont want to encourage hacking.” And, I certainly believe that statement is true for the majority of insurers out there.
Ours is, by and large, an honorable industry, and cyber risk insurance makes a lot of sense, especially, as Ewing points out, where exposure of confidential data or compromising of e-business capabilities represent a serious danger to the firm and/or its customers.
The best thing we can do as data processing enterprises is to thoroughly protect our most precious electronic assets, thus making ourselves eligible for lower rates if, indeed, we decide to purchase cyber risk protection.
Get serious about security, and get serious about IT procedures that safeguard valuable data. This is not the time to skimp on budget for protective initiatives or technologies.
Dont let either the hackers or the cyber insurance marketers chortle at your expense.
Reproduced from National Underwriter Edition, May 5, 2003. Copyright 2003 by The National Underwriter Company in the serial publication. All rights reserved. Copyright in this article as an independent work may be held by the author.