A new survey reveals many of the nation's largest employers are not prepared to handle
eCommerce and eCommunication risks. From dot.com companies to brick-and-mortar businesses using the Internet to dispense information or sell products, few employers have implemented the type of comprehensive eRisk management program that can limit electronic exposures and reduce eLiability. As a result, many employers can expect to spend six- to seven- figures recovering from eDisasters.
Among the most common and costly eRisks facing the business community: (1) business interruptions caused by hackers, cybertheives, viruses, and internal saboteurs; (2) six-figure litigation costs and million-dollar settlements stemming from employees' inappropriate eMail and Internet use; (3) claims that products or services advertised on the Web fail to deliver; (4) Web-related copyright and trademark lawsuits; and (5) patent infringement claims with defense costs averaging $1 million and judgments running into the hundreds of millions of dollars.
Employers eager to reduce--and in some cases eliminate--costly
eLiabilities should implement effective eRisk management programs
combining preventive computer security tools and written ePolicies
with comprehensive eInsurance policies designed to mitigate damages after
eDisaster strikes. So note the cyberinsurance experts at Assurex International,
the world's largest privately held commercial insurance brokerage group,
sponsor of the May 2000 eRisk Survey, and ePolicy Institute Advisory Board Member.
The survey, conducted for Assurex by the Human Resource Institute (HRI) of Eckerd
(FL) College, involved Fortune 500 companies and national associations.
The Assurex eRisk Survey reveals many employers are doing a good job with basic prevention: installing monitoring, filtering, and anti-virus software; adding firewalls and encryption programs; and educating employees about hackers. Few US businesses, however, have purchased eInsurance products to mitigate eRisks and reduce liability costs after eDisaster strikes. A serious oversight, given FBI statistics that peg computer losses at $10 billion a year, thanks to hackers and other cybercriminals.
Specifically, the Assurex eRisk Survey reveals more than 21% of large employers' systems have been hacked by outsiders, with 15% reporting hacker attacks that resulted in business interruptions lasting two hours to two days. Another 40% have experienced an increase in attacks over time. Ironically, while nearly 73% of employers are concerned enough about hackers to implement employee education programs, few have taken steps to reduce the costs (including lost productivity and revenues) associated with hacker attacks. Business Interruption Insurance policies are held by fewer than 24% of businesses. Only 18% have Crime Loss Insurance. Under 13% of employers have Unauthorized Access, Unauthorized Use Insurance. Fewer that 6% have Crisis Communications Insurance to cover PR costs following eDisasters. And not even 2% have Extortion and Reward Insurance to cover costs associated with cyberterrorism.
Assurex President and CEO Thomas W. Harvey notes that Unauthorized Access, Unauthorized Use Insurance and Business Interruption Insurance, particularly, should be considered by any organization with an Internet presence. "If industry giants like Yahoo, eBay, and Amazon.com can be hacked, if government institutions like the Air Force and Navy can be cracked, if high-security installations like the Pentagon can be infiltrated by hackers 250,000 times a year, how can the average company expect to be safe from cyberattacks?" asked Harvey.
"Employers who think they can protect their assets simply by installing anti-virus software (98% of respondents), firewalls (96%), and encryption programs (69%) are kidding themselves. Computer security is just one part of the eRisk-management solution. Employers who want to be in business tomorrow must take control of their eRisks today, by purchasing eInsurance policies to reduce first-party losses and limit third-party claims."
Another surprising survey finding involved employee misuse of corporate eMail. Over 27% of large companies have defended themselves against claims of sexual harassment resulting from inappropriate eMail and/or Internet use. No surprise, then, that 60% of employers monitor employee eMail, 80% keep an eye on employee Internet use, and 93% have written policies governing employees' Internet and eMail use. Those steps, part of a comprehensive eRisk management program, are good. Alone, however, they do not offer adequate protection against liability, according to the Assurex eInsurance experts.
"Any organization that has a corporate eMail system is at risk," noted Harvey. "All it takes is one inappropriate or off-color eMail message to trigger a lawsuit. A written eMail Policy and Employment Practices Liability Insurance, which protects employers from workers' claims of discrimination or wrongful termination based on race, sex, age, or disability, are musts for any employer who grants eMail access to employees."
As the Love Bug and Melissa viruses have demonstrated, a computer virus can interrupt business, drain revenues, and destroy credibility. Not surprisingly, more than 98% of employers surveyed have installed anti-virus software. Fewer than 13%, however, have purchased Computer Virus Transmission Insurance. That leaves 87% of companies woefully ill-prepared to recover from a potentially devastating virus attack. "Where anti-virus software, eMail attachment policies, and other preventive measures sometimes fail, Computer Virus Transmission Insurance succeeds," noted Harvey. "Regardless of how a bug enters a system, Computer Virus Transmission Insurance helps cover the cost to restore the system to good health."
Overall, employers are not yet taking full advantage of the protections offered by many eInsurance products. The Fortune 500 companies and associations surveyed report owning the following eInsurance products: Electronic Data Processing Insurance that extends beyond general business liability policies (14%); Specialized Network Security Insurance (17%); Media Liability Insurance (22%); Patent Infringement Insurance (27%); Computer Software and Services Errors & Omissions Insurance (31%); Product Liability Insurance (42%); and Director's and Officer's Insurance (53%).
Among the eInsurance products listed above, Assurex views Director's & Officer's (D&O) coverage as a must for publicly traded dot.com companies exposed to allegations of SEC violations. When lawsuits alleging fiscal irresponsibility, mismanagement, violations of security laws, or other wrongful acts occur, corporations, directors, and officers may be at risk. D&O Insurance protects corporate assets, as well as the personal assets of directors and officers.
The Assurex cyberinsurance experts also advise any company using the Internet to dispense professional advice or sell services or products to consider Computer Software and Services Errors & Omissions (E&O) Insurance. Those most in need are firms whose professional advice, services, or products--if flawed--could cause financial loss to the consumer.
"No employer is immune from eRisk," said Harvey. "You cannot be present in every office every hour of the day. You cannot rely on employees to exercise sound judgment 100 percent of the time. And you should not discount the damage external hackers and internal saboteurs can cause."
The best advice: Assurex recommends any organization with
computer assets at risk consult an insurance broker with
eRisk management and cyberinsurance experience,
then establish an insurance and computer security program--complete with comprehensive written ePolicies--to help reduce electronic exposures and lessen the likelihood of costly litigation.
Thomas W. Harvey is President & CEO of Assurex International and
a member of The ePolicy Institute Advisory Board. Assurex
International is the world's largest privately held commercial insurance
brokerage group. Assurex is owned by more than 65 of the largest
independent insurance brokers in the United States and Canada. In addition,
Assurex maintains relationships with Assurex Synergy Group Partners in more
than 55 foreign countries. With local brokers in every major city of the world, Assurex is positioned to deliver seamless global insurance and risk management services wherever clients have assets at risk. Independent Assurex brokers employ more than 12,000 professionals on six continents and generate annual premiums in excess of $12 billion. Contact Assurex at www.assurex.com.
The ePolicy Institute is a leading online source of ePolicy training tools and content. Devoted to helping employers reduce eRisks, while helping employees enhance eCommunication, The ePolicy Institute offers visitors to www.epolicyinstitute.com a wealth of FREE ePolicy tips, tools, and downloadable content. ePolicyInstitute Executive Director Nancy Flynn, author of The ePolicy Handbook and Writing Effective E-Mail, is available for interviews. Contact 614/451-3200 or Nancy@ePolicyInstitute.com.
