Hack attacks

Every time one of your employees sends an email, your company could face ruin. Why? Because since January the world's major reinsurers have decided to exclude digital risks, leaving thousands, if not millions, of pounds worth of companies' data and intellectual property exposed.

In financial terms, another terrorist attack on the scale of the World Trade Centre could cost the global economy between $50bn (£31.2bn) and $75bn (£46.8bn). Nearly two-thirds of that sum will be due to the collapse of the world's computer systems, according to industry experts.

The situation is so serious that the Department of Trade and Industry, the Association of British Insurers (ABI), and the International Underwriting Association (IUA) have set up working parties to investigate the risks the private sector now faces and what products insurers can and should offer.

"Some companies are uninsured," says David Ovenden, chairman of the IUA's digital risk working party and Royal & SunAlliance (R&SA) director of group underwriting and claims. "Some might have bought a recompilation of data cover policy which does cover digital, but most won't have this specific cover.

"The companies that are most vulnerable are the ones put under pressure to create websites to complement their business - like the media or small to medium enterprises (SMEs)."

Hacking has become a sophisticated criminal activity and reinsurers are worried about the aggregation of claims from "contagious" cybercrime and cyber extortion, Ovenden says. During the renewal season this year, reinsurers demanded clarity on property risk and CAT policy wordings, and concluded that data was not physical property.

"Among insurers, brokers and commercial business there is a general lack of awareness," says Cunningham Lindsey commercial projects director John O'Neill. "One of the fundamental risks is basic email. It can affect a much wider audience and is less easy to control," says O'Neill. One notable defamation case was Western Provident v Norwich Union (NU), when Western Provident discovered certain NU employees were circulating false rumours about Western Provident finances on NU's internal email system.

"Even now, despite that case, most companies are still not aware of the risks they are facing," he adds.

The digital risks market is limited in the number of insurers and products available. Of the big players, Chubb Insurance, Hiscox, AIG, St Paul Insurance and R&SA offer specialist "bolt-on" policies.

"The amount of business flowing into the market is limited, by the number of companies willing to touch it and by the amount of capacity available," says Alexander Forbes executive director Trevor Moss.

Network security
AIG has developed a series of products and wordings under the brand name, netAdvantage. Its content liability product offers coverage for any form of defamation and "internet media" conduct and infringement problems of the insured's business, such as promotions and advertising.

Late last year internet service provider (ISP) Cloud Nine was hacked by IT cyber terrorists to the point where the whole system went into meltdown. Ace Global Markets decided then not to insure ISPs.

But all is not lost. With the blessing of insurers such as AXA, R&SA and the Lloyd's Market, St Paul has created an e-risk wording known as the "network security" wording, which is hoped will be the industry standard.

Safeonline vice-president for Europe, Stuart McMillan said: "There is huge potential in this market - it's just waiting for brokers to grab it by the scruff of the neck.

"At the moment it is worth $200m (£125m), but estimates put the worldwide market as potentially worth $10bn (£6.25bn) to $15bn (£9.4bn)."

Ace and Safeonline's guide to company risk

Level of complexity
Level 1 - Simple PC or PC network
You have email for external and internal use

Level 2 - Database system
You store company information, customer records and confidential financial and HR details on a company network

Level 3 - Transaction processing
Your company has technology to automate financial processes

Level 4 - Supplying an IT service
You are supplying a service that is underpinned by technology

Level 5 - E-business
Your company has made a strategic investment in technology and has a revenue dependency on this area of your business

Digital risks
Third party liability - a company is liable for any losses experienced by another as a result of: