The enemy in the machine

It's time for British businesses to wake up to the threat of digital risk.So says Hiscox UK technology manager Stephen Wares. "It's vital that we create a recognition of these risks at boardroom level", says Wares."It won't be taken seriously until it becomes a corporate governance issue."The national hi-tech crime unit delivered a timely wake-up call to company directors last month when it published the results of its research into cyber-crime. The unit's survey showed that more than 80% of UK businesses had suffered some sort of computer crime in the last year. The cost to business was put at £195m, with £121m lost as a result of internet fraud.The term 'digital risk' refers not only to IT-related problems, but any potential risk associated with technology. Cunningham Lindsey commercial projects director John O'Neill defines digital risk as "the risk of something happening with technology", adding that digital risk "is all around us".Yet despite the ubiquitous nature of digital risk, company boards are slow to properly address the problem and even slower to buy digital risk cover. Wares says: "Company boards need to reprioritise insurance spend.Though companies may not buy hacker cover, they will inevitably buy buildings insurance. But they can always move to another building - company boards should consider the cost of reconstituting data."

Prioritising digital riskO'Neill agrees that companies are, in general, unlikely to place a great deal of emphasis on protecting themselves against digital risk. "For boards of directors, it has not been the most important item on the agenda," O'Neill says.His assertion is borne out by statistics provided by broker Digital Risk Solutions (DRS). "Between 80% and 90% of businesses don't realise that digital risks are not covered by standard insurance," DRS director Graeme Newman says.Specialist internet liability insurance broker Todd & Cue says: "Many insureds are unaware of the risks they are running."Todd & Cue's warning follows a recent case in the US in which AOL claimed on its general liability policy after software it had installed caused companies' systems to crash and lose stored data.AOL made a claim against its insurers, St Paul Mercury, but the courts rejected the claim because the installation had not caused damage to "tangible property".The AOL case highlights the massive gaps in the market for digital risk cover. Newman says: "The traditional insurance market focused on physical assets, but businesses are becoming more reliant on their IT systems. The traditional market hasn't caught up with this".Wares agrees that the digital risk insurance sector is only a burgeoning one. "There are not many markets with decent books of business", he says.Hiscox and AIG are two of the major players. Hiscox has a team of five underwriters specialising in technology professional indemnity and hacker cover, while AIG Europe offers a product called netAdvantage Liability, which offers third-party liability protection with limits of up to £15m.But experts believe there are plenty of opportunities for other insurers in the digital risk market.Newman says: "The UK market is very small and only a handful of risks are covered. There is a huge potential market, but many brokers don't understand this area and there are very few insurers in the market."

Day of reckoningWares believes it may take a major digital risk-related corporate collapse before UK businesses realise the potential threat posed by digital risk."It might take a listed company to go bust as a result of a hacker for this issue to be taken seriously - it could take a shareholder action against a company for directors to sit up and take notice," Wares says.One of the newest digital risks relates to email marketing. Two new EC rules concerning email marketing are included in the Privacy and Electronic Communications (EC Directive) Regulations, which came into force at the end of 2003. The first new rule, which applies to all marketing messages sent by email, stipulates:- That the sender must not conceal their identity- That the sender must provide a valid address for opt-out requests.The second new rule, which only applies to unsolicited marketing messages sent by email to individual subscribers, stipulates that the sender cannot send such messages unless they have the recipitent's prior consent to do so.Wares believes that the new regulations will trip up many companies.He says: "With regard to anti-spam, companies are way behind. The opt-out issue will catch companies out. Commercial organisations have to keep pace with legislatory changes."

What is digital risk?Digital risk insurance specialist Safeonline defines digital risk as "the risk faced by any individual or business who uses computers, networks, the internet and email". Digital risk falls into five categories:- Third party liability - being sued as a result of transmission of a computer virus via email, infringement of another's right to privacy, defamation of another or another's products/services, or intellectual property (IP) infringement- First party damage - financial loss as a result of loss of or damage to data, damage to a website or computer network, or infringement of IP- Theft - financial loss as a result of deliberate theft, fraud or extortion using digital means. For example, fraudulent transfer of funds or theft of propriety information- Product or service failure - being sued as a result of the failure of a technology product or being sued because of a service failing to perform as promised- Business interruption - loss of revenue and expenses as a result of interruption to the smooth-running of the business.

IT attacks to worsenDigital risk security specialist mi2g has predicted that there will be a "metamorphosis" in the nature of digital attacks in 2004. "It will no longer be possible to classify them along the rigid lines currently employed, such as viruses, worms, spam, denial of service and hacker attacks," mi2g says.

The cost of viruses
Virus: Loss($bn)
MyDoom: 89.8
Sobig: 41.4
Netsky: 31.4
Klez: 22.2
Mimail: 13.9
Yaha: 12.8