"Litigating in IT is like putting the gun to your own head and pulling the trigger," says Garry Collings, general manager IT development, Tranzrail, when asked why his organisation has not taken out IT insurance. But in a business environment in which hacking, denial of service attacks and credit card fraud present serious risks to networked companies and e-businesses, insurance premiums may soon form an essential cost line in IT budgets.
Insurance companies are foraying into this new field of providing cover for the risks around e-enabled systems. But are they, as they claim, addressing the concerns of both technology providers and users? Or are they merely creating a need where IT directors should be managing their own risks? And how willing are IT directors to tack more expenses onto their already over-stretched IT requisitions? David Fisk, development manager, Information Technology Insurance Specialists, admits there was a "mixed" response from the market when the firm was set up in October 1999, but this is now changing.
"Clients perceived it as another bill to pay. By explaining to our clients that it is more an investment into the future of their company, they have started to come around," says Fisk. The Sydney-based company is an insurance broker tailoring insurance and risk management solutions for businesses.
Phil Hobson, head of Marsh Technology Group New Zealand, says the awareness of New Zealand companies about the need for the new insurance cover "has risen dramatically over the last three years" and has been highlighted by the publicity on claims and education by insurers, brokers and technology security specialists.
Dean Edwards, technology manager for St Paul International Insurance, makes the same observations. "It's far easier to discuss this compared to four months ago," says Edwards whose firm has launched two IT industry products in New Zealand.
Today's networked enterprises face a host of challenges. Glen McCauley, enterprise risk services manager, Deloitte, notes: "Security in most organisations in New Zealand remains very poor and, as such, when organisations connect to the Internet they are facing significant increases in exposure, which they are not addressing."
Deloitte recently conducted a survey on information security. The results indicated a significant under-investment by New Zealand enterprises in information security measures. According to McCauley, 61 per cent of respondents spent under $50,000 on security; worse still, a further 18 per cent did not know how much they spent. "We also found that there is a lack of understanding about the processes of assessing and mitigating risks, which is essential to establishing a secure environment," he says.
Enterprises are hardly rushing to buy IT insurance - at least for the moment. Hobson says New Zealand insurers have reacted to the situation by providing tailored solutions. Many potential clients are generally aware of the potential for liability to arise out of the delivery of their products or services, he adds. However, a large number of organisations remain uninsured. Marsh now has a team of 10 brokers in New Zealand who specialise in providing advice on the range of risks associated with developing or using technology.
Hobson says redundancy in systems and mirroring of sites have historically proven to be the most practical method of managing problems that may arise out of a security breach. However, he believes the hidden costs of rebuilding systems and eradicating viruses tend to be taken onboard by many as a business risk when these can be insured by a third party.
"Network protection is a growing issue of security with most organisations," says Hobson. For an insurer to accurately assess the risk, most organisations are required to undertake an audit by either a regulated self-assessment process or by using an external audit specialist. A security audit will typically provide an organisation with a warrant of fitness on its security protocols, he says.
His strong argument for taking out the extra cover: "Insurance sits behind the audit as a failsafe to provide revenue protection for organisations that suffer increased expenditure and revenue loss arising from a network or systems failure."
Edwards of St Paul, on the other hand, says the market for IT insurance "has been very good". There is, he says, high awareness among technology providers that their industry is exposed to risks. The users of technology "are becoming far more aware of their rights - they expect it to work".
So one of the biggest drivers in the market, says Edwards, is that IT providers are now asked to sign contracts that spell out what their potential liabilities are. "This was not true in the past three to four years."
Edwards says, in taking the characteristics of the New Zealand market into account, St Paul is making the products accessible and affordable to small and medium enterprises. He claims around 30 enquiries a day are received through the company's Website.
Enterprises without insurance cover are disadvantaged, he says, stressing insurance complements the work of the IT department. "We want the process to be perceived [as] more than offering insurance," he states. "We're talking about reasonable level of network security. The point is we're not trying to undermine the role of the IT manager."
MIS sought the opinion of NZ IT directors from across industries on the subject. Most of the IT directors who responded have not taken out such insurance and see no need for it at the moment. However, none of them discounted the necessity of such protection for other enterprises.
Brett Bennett, general manager information systems, Natural Gas Corporation, provides a simple explanation of why his company hasn't taken out such insurance. "We consider our cover under the company's overall insurance umbrella sufficient for our purposes."
IT insurance outright is just not necessary, says Collings. "What is necessary is to minimise the possible risks, if the risks are too large and not manageable, choose another option."
As his opening comments indicate, Collings is unimpressed with IT insurance, citing two scenarios. "I have a nice car with insurance. It gets stolen or smashed up. Insurance replaces and I'm happy." Compare this, he says, with the second scenario in which a company is building a "wonderful new business application" for him and for which he has insurance. The company fails.
"I have money and still no application. Was the insurance worth it? I say no. What is better is the management of the risks so that the supplier does not fail. I would spend possible insurance money on a better project manager."
Neville Brown, chief information officer, the Warehouse Group, says the retail chain hasn't taken out such an insurance policy. "We self insure," he says, but adds that other companies may need this type of insurance depending on their particular circumstances.
"I suppose my 'insurance' is the redundancy and systems we have in place to minimise the impact of IT problems," states Martin Cassidy, general manager IT, NZ Lotteries Commission, suggesting the commission's operations may place different demands on the insurance company.
"I expect the insurance companies can put a price on anything, but the Lotteries Commission would lose millions of dollars if we lost our system on a Saturday afternoon. What would we pay insurers to cover us for that potential loss? And the issue isn't just the dollars lost that day. It's the ongoing impact on revenues caused by such a failure of customer service. How would the insurers value that?"
Cassidy suggests a careful study of the matter. "I wouldn't mind seeing the numbers to see what the cost benefits are."
Loss by security failure
Reid McLaren, chief financial officer of the Employers and Manufacturers Association (Northern), likewise says the EMA has not taken any insurance to cover its e-business and IT functions, but is currently investing in one that would cover loss caused by failure of its firewall to stop unauthorised access.
Asked whether this protection is vital even if the enterprise has adequate security measures, McLaren replies: "It depends on the extent of the potential loss and cost of reinstatement and whether or not existing business interruption policies cover such a loss."
Agricultural portal Fencepost.com is one company that has taken out insurance for its e-business. Alison Andrew, its chief operating officer, says the board had initiated the move and offers this advice for enterprises. "There is more cover becoming available in the market. What to take out depends on the stage of the development of the business."
Computerland has also taken steps to insure its technology functions. "I think it's needed, as in our case it protects us in our service delivery to our clients," explains Huri Parata, IS manager.
"It is less the damage to materials that is of concern - as DR and security measures aim to mitigate risk associated with this - and more the intangibles that inhibit our service delivery, intellectual property, data integrity, error in judgement, reliance on service providers, and so on."
Parata says the company is also investigating new insurance to cover one aspect of its business. "Insurers are classifying Web designers as publishers. A potentially high exposure could also arise if a company has advertising links on their own site to another company. The link site could contain libellous, defamatory statements, or breaches of copyright that could result in both companies being held liable. This exposure is greatly increased by the fact that visitors to the site could be worldwide."
A future imperative
Gartner believes, by the end of 2006, a quarter of large enterprises will carry hacker insurance. And firms that take on this cover should be prepared to shell out more, if certain security issues - like those faced by Windows NT users - are unresolved.
Steven Froud, analyst for Business Continuity, claims while insurance is a vital part of business continuity strategy, it is only one aspect of managing business risks. "The use of insurance to transfer risk is needed to provide assurance against fire and theft. But it needs to be remembered that it's also important, as part of business continuity strategy, to insure the IT functions, facilities and equipment relating to hot sites, or other types of recovery centres in the same way you would your usual facilities and equipment. Business continuity and insurance go hand in hand in assuring against disaster."
McCauley of Deloitte's reckons, with the rapid state of change in today's IT market, it is often difficult to identify 100 per cent of an IT system's problems. "If organisations cannot afford the cost of a security breach, then an insurance policy is a 'must have', in the same way as building and contents insurance."
IT commentator Bruce Schneier also lists insurance as a must in a good security policy. Corporate duties of care require enterprises to find additional ways of preventing financial loss from hacking, he says.
If a renowned company is hacked, it is unlikely shareholders would be satisfied knowing the CIO "did their best". In around five years, Schneier predicts, "there will be high-profile shareholder lawsuits in companies that lose market share, stock value or money because they were hacked. When officers don't take due care with their corporate assets, they get sued.
"I believe that just like every company has insurance for fire, theft and business continuity, as well as 'key man' insurance for executives, they should have network insurance, period."