A company could face huge liabilities each time an employee sends an email. Why? Because major insurers have now excluded digital risks.

Every time one of your employees sends an email, your company could face ruin. Why? Because since January the world's major reinsurers have decided to exclude digital risks, leaving thousands, if not millions, of pounds worth of companies' data and intellectual property exposed.

In financial terms, another terrorist attack on the scale of the World Trade Centre could cost the global economy between $50bn (£31.2bn) and $75bn (£46.8bn). Nearly two-thirds of that sum will be due to the collapse of the world's computer systems, according to industry experts.

The situation is so serious that the Department of Trade and Industry, the Association of British Insurers (ABI), and the International Underwriting Association (IUA) have set up working parties to investigate the risks the private sector now faces and what products insurers can and should offer.

"Some companies are uninsured," says David Ovenden, chairman of the IUA's digital risk working party and Royal & SunAlliance (R&SA) director of group underwriting and claims. "Some might have bought a recompilation of data cover policy which does cover digital, but most won't have this specific cover.

"The companies that are most vulnerable are the ones put under pressure to create websites to complement their business - like the media or small to medium enterprises (SMEs)."

Hacking has become a sophisticated criminal activity and reinsurers are worried about the aggregation of claims from "contagious" cybercrime and cyber extortion, Ovenden says. During the renewal season this year, reinsurers demanded clarity on property risk and CAT policy wordings, and concluded that data was not physical property.

"Among insurers, brokers and commercial business there is a general lack of awareness," says Cunningham Lindsey commercial projects director John O'Neill. "One of the fundamental risks is basic email. It can affect a much wider audience and is less easy to control," says O'Neill. One notable defamation case was Western Provident v Norwich Union (NU), when Western Provident discovered certain NU employees were circulating false rumours about Western Provident finances on NU's internal email system.

"Even now, despite that case, most companies are still not aware of the risks they are facing," he adds.

The digital risks market is limited in the number of insurers and products available. Of the big players, Chubb Insurance, Hiscox, AIG, St Paul Insurance and R&SA offer specialist "bolt-on" policies.

"The amount of business flowing into the market is limited, by the number of companies willing to touch it and by the amount of capacity available," says Alexander Forbes executive director Trevor Moss.

Network security
AIG has developed a series of products and wordings under the brand name, netAdvantage. Its content liability product offers coverage for any form of defamation and "internet media" conduct and infringement problems of the insured's business, such as promotions and advertising.

Late last year internet service provider (ISP) Cloud Nine was hacked by IT cyber terrorists to the point where the whole system went into meltdown. Ace Global Markets decided then not to insure ISPs.

But all is not lost. With the blessing of insurers such as AXA, R&SA and the Lloyd's Market, St Paul has created an e-risk wording known as the "network security" wording, which is hoped will be the industry standard.

Safeonline vice-president for Europe, Stuart McMillan said: "There is huge potential in this market - it's just waiting for brokers to grab it by the scruff of the neck.

"At the moment it is worth $200m (£125m), but estimates put the worldwide market as potentially worth $10bn (£6.25bn) to $15bn (£9.4bn)."

Ace and Safeonline's guide to company risk

Level of complexity
Level 1 - Simple PC or PC network
You have email for external and internal use

Level 2 - Database system
You store company information, customer records and confidential financial and HR details on a company network

Level 3 - Transaction processing
Your company has technology to automate financial processes

Level 4 - Supplying an IT service
You are supplying a service that is underpinned by technology

Level 5 - E-business
Your company has made a strategic investment in technology and has a revenue dependency on this area of your business

Digital risks
Third party liability - a company is liable for any losses experienced by another as a result of:

  • Inadvertent transmission of a virus
  • Defamation (libel) or discrimination
  • Intellectual property infringement such as copyright and trademark

    Your own financial loss as a result of damage to the availability, integrity or confidentiality of company data held on computer, network or website. Any company may experience data loss either as a result of an external attack, or more likely as a result of a deliberate or inadvertent error by an employee

    Your own financial loss as a result of theft or funds/assets. This could be through the dishonest processing of invoices, orders/payments or extortion

    Third party liability as a result of failing to deliver as promised. Issues occur when a system or product you make available or sell to your customers fails to operate as promised.

  • Security breach
  • Network failure
  • Invasion of privacy

    The strategic importance of technology infrastructure means, should it become damaged or fail, your business will suffer direct financial loss

  • Business interruption
  • Loss of revenue
  • Extra expenses

    Who are the hackers?

    Kiddie scripter
    Spotty, disruptive youths who think it's a great idea to deface a website with abusive comments and electronic graffiti. They have access to a number of basic internet tools to hack through preliminary firewalls. They show off their handiwork on www.attrition.org.

    Old school hacker
    A university graduate, with long experience in system software. He is older and has an interest in breaking through complex security systems. He is often tempted to exploit these skills for his own ends.

    Corporate raider/criminal
    Criminals or individuals intent on making money from either money-laundering or corporate espionage. McDonald's was attacked five years ago by criminal hackers. Its corporate website was completely altered and then shut down. This type of hacking can affect a company's brand equity and cost millions in lost business, repair and security costs.

    Groups such as Al-Qaeda, the Red Brigades and ETA want to wreck governments and the global economy. They have access to extremely sophisticated systems through financial backing from criminal activity. But many can still create mayhem by using simple systems.

  • Topics