Following last year's Turnbull Report, companies need to take out ‘cyber risk' policies to prevent internal information being stolen over the internet. Robin Dahlberg reports....

The internet has become so much a part of corporate DNA, that is all too easy to allow its benefits to obscure the threats and vulnerabilities it presents. Couple this with the changing regulatory environment – as evidenced by the recent introduction of the Turnbull Report – and there is a danger that both corporations and their insurers may be greatly underestimating the seriousness of the situation. Therefore, it is worth exploring why the internet has completely changed the risk management landscape.

Open systems such as the internet may have many business advantages, but every silver lining has its cloud. By its very nature, the accessibility and relative anonymity of internet users make internet-based systems (and the integrity of the information stored on them) constantly vulnerable to security threats.

In fact, the internet is a criminal's dream. Compare it to the physical world: just imagine if every door lock was designed to the same standard with the same combination or key; or the windows in your house had no locks at all. This is effectively the security environment that open standards have provided for internet hackers.

Not only are existing doors and windows relatively defenceless, but, on the internet, new doors and windows appear on a seemingly random basis. Every time a new user, new computer or new business application is added to a company's network, new vulnerabilities are introduced too.

Not only this, but internet criminals are, to all intents and purposes, invisible, can change their identity at will and break in from the other side of the world.

This is the reality of doing business on the internet today, a network relied on by every critical sector, including banking, government, transportation, telecommunications, emer-gency services and even the insurance industry.

But the new digital economy is not entirely defenceless. Unfortunately, the skills available to create a secure internet environment are scarce, and thus very expensive.

However, organisations are being urged to assess the true extent of their risk exposure from a regulatory perspective too. The Turnbull Report guidelines are intended to foster a risk-based framework for establishing a system of internal control.

Although the report is perceived in some quarters as simply an additional requirement for London Stock Exchange (LSE) regulatory demands, the Turnbull committee has gone to great pains to emphasise that this is a much more wide-ranging approach to embedding internal control in the business processes by which a company pursues its objectives. When the guidelines came into force last year, they demanded full compliance with the requirements of the LSE Listing Rules in relation to internal control disclosure for the first accounting period ending on or after December 23, 2000.

Taking the right steps
Although the Turnbull guidelines are not mandatory, they are linked, via the Combined Code on Corporate Governance, to the Listing Rule disclosure requirements of the LSE. As a result, non-compliance with the Turnbull guidelines could result in an embarrassing disclosure in the annual report, which could attract the attention of the press, shareholder activists and institutional investors. However, even non-listed organisations, in principle, can benefit from the Turnbull recommendations in terms of providing a framework for better assessing and managing risk.

With the Turnbull guidelines now in place, it is vital that companies take the necessary steps to ensure that risk management and internal control are firmly linked with the ability of the company to fulfil clear business objectives. As part of the risk management review process, organisations need to be able to identify the risks that could undermine the safeguarding of assets from inappropriate use, loss and fraud, as well as identifying and managing liabilities. The internet presents one of the biggest threats of all in this respect.

Fortunately, the information security industry is now starting to work together with insurers to give organisations the option to participate in e-business, to overcome security skills shortages and deal effectively with hackers and other threats.

But how do you quantify the risk? Detailed quantification of risk is clearly desirable, but in many cases it will be enough to assess the risk as high, moderate or low. The important issue is that the board and management develop a clear, shared understanding of what risks are unacceptable or likely to become unacceptable, and then decide how they are going to manage these risks using different control strategies.

Turnbull splits the risk categories into four broad areas: business, financial, operational and compliance. The direct and indirect threats of failing to assess and manage internet security-related risks could potentially impact on all four of these categories.

So how do you go about identifying these risks? As part of this exercise, the following questions may be useful to ask:

  • What type or fraud or information security issues could the business be susceptible to?
  • What problems have already happened to us or our competitors in recent times?
  • What would we hate to see in the press?

    It is important to remember that protecting against high-profile threats such as virus attacks is only part of the issue – companies need to minimise their exposure to misuse of any electronic information or assets they have. These could be HR records held on a database, medical data in a hospital or drug formulae at a pharmaceutical manufacturer.

    Control strategies
    Once the risk is identified, there are several control strategies that can be adopted, such as accepting the risk, transferring the risk (passing it on to another party), elimination (by adopting an exit strategy), sharing the risk with another party or insuring against some or all of the risk.

    Companies attempting to use internal resources to cope with the risks posed by internet security threats are finding that there is a dearth of available expertise available to properly deal with this.

    Many companies are now looking to outsource the management of these security risks and seek insurance against the exposure.

    So what are the opportunities for the insurance industry? Quite simply, it should be to capitalise on the new risk coverage demands of businesses, large and small.

    However, most current insurance policies do not seem to take into account many of the issues raised above. For example, typical policies do not usually offer the global coverage that doing business on the internet requires. Exclusions and definitions in policies tend to limit cyber risk coverage. Also, many companies do not have errors and omission coverage. And under traditional property policies, business interruption and extra expense is triggered if the direct loss is insured – but property direct losses were designed for physical assets and physical perils, not information assets and electronic risk.

    There is clearly an increasing demand for insurance policies that take account of the new business environment. Insurance companies should be analysing current client arrangements to assess where the gaps lie in existing cover and pointing out what could and should be done to insure against the ever-changing risk exposure created by the internet.

    Developing specific cyber risk policies should provide fertile ground. But in order to do this accurately, insurers need to ensure that the risk assessment and management of internet security is placed in the hands of an organisation that can provide the highest levels of expertise and standards compliance, as well ensuring that insurance policies take into account the changed environment that modern businesses now operate in.

    The internet has created a far more open and dynamic commercial environment, but by its very nature it creates an ever-changing level of risk exposure. The risk transfer solutions developed for traditional bricks-and-mortar business are well established and understood, but the internet has changed the rules.

    With the introduction of the Turnbull Report, which more or less forces UK plcs to implement control systems for managing risk, there is a golden opportunity for the insurance industry to seize the bull by the horns and develop products and services that meet the very demands of the internet economy.

  • Robin Dahlberg is the managing director of Internet Security Systems.