CYBER TRAP
Insuring an e-business is far from easy.
By Lotte Chow

Joe Chan was a happy man. In the three months the finance manager's retailing company started an on-line shopping mall in Hong Kong, his staff had enrolled 27,000 members, or 30 a day, not a small feat in a city that has as many shops as there are shoppers. But before Chan could uncork the champagne, the bad news hit. Someone had broken into the company's website and copied customers' credit card information, including expiration dates, cardholder names and addresses. Aside from the potential loss of business, Chan was worried that the shoppers might sue for invasion of privacy due to the loss of confidential information. "The hacker apparently got in the website by using a password and passed himself off as a company executive," says Chan.

Chan's experience underlines how vulnerable today's companies are to crimes in cyberspace. Although dot.coms, ISPs (Internet service providers), software developers and web designers are most vulnerable, any company with an e-business can be in peril. "If you are connected, you are at risk," says PricewaterhouseCoopers partner Gerard Tan in Singapore. Even behemoths in the computer industry like Microsoft and Yahoo have been the victims of cyber-crimes or attacked by hackers. And with the use of the Internet increasing and cyber-criminals becoming more sophisticated, the number of cyber-crimes is expected to grow. Sales of e-business liability policies are expected to exceed US$2.5 billion worldwide this year, industry analysts estimate.

Despite this, many companies seem undaunted and have not sought to insure themselves against e-business risks. Managers either aren't familiar with the issue, can't afford the additional expense, or have been too busy to turn their attention to an issue that is easily put off. For some larger companies, the industry is not mature enough to handle their complex needs or even to calculate the cost of potential losses.

US freight forwarding giant UPS Asia Pacific is one such company. UPS, which has started letting customers place orders on-line, doesn't have coverage for e-business risks, but has coverage for its business operations. Perry Chao, e-commerce head at UPS Asia Pacific, says: "We have found that the claims are not specific enough." Chao explains that if a mishap occurs in cyberspace, it is hard to calculate the cost of the potential loss of business, data or information, or the damage to systems, and have both the insured and the insurer agree on the amount of the claim. Chao also says that most e-policies cover key cities or countries in Asia but not the entire region, and that poses a problem to companies like UPS that operate throughout the Asia Pacific.

Like UPS, many companies are trusting their own IT departments to protect their systems from fraud. "We've heard about [e-business insurance] but we don't know very much about it," says web-based logistics market provider FreightStation CEO/CFO Tan Sek Wah in Singapore. "We rely on our technical people to protect our systems. In time, we'll look at the issue in depth."

Risk Averse

Revenue is what is holding back B2C portal Go-events.com's investment into e-risk insurance. CFO Jim James in Singapore says: "We are aware of e-business risks and the need for protection. But we aren't getting e-business insurance at the moment. We need to prioritize our expenditures." James says his company has indemnity against bad debt - a general business insurance.

Many companies are too busy building an e-commerce presence to worry about insurance. "We have started talking to consultants about getting e-business insurance," says Lisa Ko, accounting manager at Hong Kong-based Pacific NetMarkets, a B2B portal that was launched in December 1999. "Before, we just haven't had time."

The bursting of the Internet bubble in the second half of 2000 sent many Internet companies scrambling for funding, and caused many traditional companies to rethink or scale down their Internet strategies. AON Risk Services Hong Kong associate director Regina Chen says that in late 1999 she received many inquiries about e-business insurance products. "We saw a lot of business opportunities," Chen recalls. "But with tech stocks falling, many of these opportunities have since disappeared."

E-risk insurance products are also so new that many finance managers either aren't aware of them or don't know how to use them. Many products on offer by the few global providers that dominate the cyber-risk market in Asia, including Lloyd's of London, and US-based American Insurance Group (AIG) and Marsh & McLenna, are barely a year old. The Chubb Group of the US, for example, says it has yet to offer comprehensive coverage for its dot.com clients in Asia; many local providers say the same.

Ante Up

High premiums are also scaring away some companies. Insurance providers say e-business policy premiums are at least 25 percent higher than traditional insurance, partly due to the lack of a large pool of claims money to pay claimants if the need arises. Premiums also reflect the high security risks inherent in e-business systems and the lack of precedence for claims reimbursement.

Just how unwilling are some companies to chip in for policies? Some insurance brokers recall meeting senior management who reject e-business insurance because of the high cost. "Even though the shareholder agreement stipulates that the company have Internet liability, the management would go back to their shareholders and ask them to delete that clause so that they don't have to buy it," says one insurance broker in Hong Kong.

Despite the high premiums, Hong Kong property consultant Midland Realty bought an e-business policy last year. CFO Kelvin Lo says he sees e-risk insurance as a necessity as the group continues to grow its property-related services on-line. Midland has expanded from property broking, now offering property-related services such as news, price comparisons, legal services and market trends on-line. Lo wouldn't disclose how much Midland is paying for its one-year e-risk policy, on top of the general business insurance the company has, but he says the group shopped around and compared prices. Midland ended up spreading the risk categories between several providers, including AIG. "That way, it helps us to reduce our insurance bill," he says.

More companies are likely to purchase e-business insurance as the Internet sector matures, insurance professionals say. "Companies are getting more serious about purchasing [e-business insurance] because of the increased incidences of virus, hacker attacks and denial of service claims being reported in the news," says AIG Financial Services deputy general manager Chin Feng in Hong Kong. "More corporations are realizing that it is not covered under traditional policies." Feng adds: "In Asia, the implementation of e-commerce is fairly recent. When it comes to liability, cyber-risks are every bit as real as traditional commercial ones. So, if e-commerce is here to stay, e-business risks and insurance will stay with it."

Hacking Back

Companies will seek insurance for practical reasons, too. Security breaches such as vandalized websites, computer viruses, information theft and denial of service on the Net are the most common problems companies face, according to security experts, and the lack of criminal laws in cyberspace means prosecution is difficult, if not impossible.

This leaves little protection for companies that have been hacked. "E-business is one of the top priorities for CEOs nowadays, so it only makes sense companies have adequate protection for it," says PricewaterhouseCoopers Hong Kong principal consultant Raphael Young. "If companies have invested so much human and financial capital into their websites, they should do everything they can to protect them. Conducting an independent security assessment would be a start," says Young. Financial Services chairman William Bartlett at Ernst & Young in Sydney adds: "Of all business risks, IT risks may be the most challenging to understand and manage. Technology changes continually, and each change cascades through your company and creates new risks."

Stella Tse, an e-business risk specialist at insurance broker Marsh & McLenna Hong Kong, agrees. "Some e-business risks are so new and understated that many people don't know they exist," says Tse. "They go beyond people's traditional thinking of risks; they touch on the intangibles such as intellectual property, privacy and defamation." She adds: "The damage can be significant. Imagine there were a virus getting into your systems, the impact it would have on your company income, reputation and morale, and customer confidence."

To fend off possible attacks, companies have two lines of defense, IT professionals say. The first is to have strong network security such as firewalls, intrusion detection systems and anti-virus software. "But fast-changing technology, powerful hacking programs and security loopholes mean companies and systems with only internal defense remain vulnerable," says PricewaterhouseCoopers' Tan. He suggests a second line of defense - in the form of insurance coverage.

Some companies in Asia have e-business coverage, either because their shareholders have demanded it or they realize the value of having protection. Singapore-based e-business investment company Assetline Holdings has had e-business insurance since last May. "Our purpose is to have a secured website so that we can do our job effectively and efficiently," says CEO Marc J Edelstein. He says that Assetline's experience with hacking in its early days of operation taught the company the importance of being insured.

Not every company seeking e-business insurance will get coverage. All applicants need to undertake a business operations review and security assessment to determine their eligibility. The review looks at the company's business operation, security systems and risk exposure to determine whether it meets certain security standards. This helps the provider set the price, terms and conditions of the policy. The due diligence process can take days to weeks.

An independent consultant, appointed either by the applicant or the insurer, will also assess the IT operations of the company to give an unbiased opinion. With the company's consent, the consultancy will submit its report to the underwriter if the company decides to take out the insurance. "Given the high-risk nature of e-business systems, the company must demonstrate that it has in place sound security controls to reduce its risk profile to an accepted level," says PricewaterhouseCoopers' Tan.

Hong Kong-based Asia Online went through this process not long ago. The ISP bought its e-business coverage from Lloyd's of London, and is protected against a range of risks such as hacking, loss of data and professional indemnity. Asia Online CFO Gareth Stephens says getting the appropriate coverage was a lengthy process, from shopping for a provider, undertaking the risk assessment test, and negotiating terms, conditions and price of the policy. But the work and expense were worth it, Stephens says. "We've seen how some companies in the US have litigation in court" due to problems with their web operations, he says. "If there's one case, the cost of defense can be substantial. We don't want that to happen to us."

Lotte Chow is a contributing editor at CFO Asia based in Hong Kong.