LOS ANGELES: The computer worm that clogged Internet traffic and shut down
vulnerable corporate networks this weekend also provided another boost to the
emerging market for hacker insurance.
Hacker insurance, also known as "network risk insurance," has been
on the market for about three years, but is expected to explode from a $100
million sideshow into a $2.5 billion behemoth by 2005, according to insurance
industry projections.
This weekend's Internet attack, which virtually cut off Internet access in
South Korea and toppled other networks worldwide, underlined the impossibility
of total computer security, said Counterpane Internet Security Chief Technology
Officer Bruce Schneier. "I believe that within a few years hacking
insurance will be ubiquitous," Schneier said. "The notion that you
must rely on prevention is just as stupid as building a brick wall around your
house. That notion is just wrong."
At the same time, some security experts questioned whether insurance policies
would be effective, given that many of them exclude more incidents than they
cover, given the unpredictability of where and how an attack could come.
Still, the hacker insurance field got a big boost on Jan. 1, when many
existing commercial general liability policies expired and were replaced by
policies that contain explicit exclusions for hacker-related losses, attorney
Robert Steinberg of Latham & Watkins in Los Angeles told clients in a recent
brief.
"Particularly given the post-Sept. 11 climate, fears about how such
vulnerabilities and attendant magnitudes of loss might impact on national
security have reached a critical mass," Steinberg wrote. "That hacking
represents a danger to any industry and any type of business is by now a
veritable truism."
Insurers typically require a third-party assessment of an applicant's
existing security system -- which cost up to $50,000 -- as well as evidence that
the company's board has taken reasonable steps to protect its network from
hackers.
Applicants may be required to engage additional risk management processes to
qualify, such as installing surveillance and intrusion detection software,
requiring password changes and performing routine security checks.
© Reuters