She and others participating in American Conference Institutes Fifth Annual Online Liability Conference in late June repeatedly addressed the need for specialty insurers to track the potential for an aggregation of losses from far-reaching distributed denial-of-service attacks and viruses that could impact computer networks simultaneously across the world. Such attacks, they say, could cause billions of dollars in property and business interruption claims–claims now being covered under specialty insurance policies.

Four of six panelists representing insurers and brokers assembled to discuss cyberinsurance product offerings listed “capacity” as a top-of-mind issue when asked to share their biggest fears with the audience.

“Ultimately, we hope private insurance can handle this issue,” Ms. Freeman said. Officials at very high levels of the federal government see this as a “critical infrastructure issue,” she reported. “They want to see the private insurance market handle this, rather than having it become an issue like flood.”

Ms. Freemans suggestion of the potential need for a government insurance program came in response to a question about the appetite for reinsurers to support the emerging specialty insurance market. “I think reinsurers are evaluating participating on treaties with high limits very carefully,” she said. But “I think there is reinsurance capacity out there,” she noted, adding, however, that reinsurers have “very serious issues” about the aggregation exposures of primary insurers.

Earlier, she explained that a major event, “like a virus that sweeps through the world in less than 24 hours” wasnt the only aggregation issue on the minds of insurers. “Theres also an issue of a single point of failure,” she said, referring to the possibility that a service outage for one “critical infrastructure provider,” such as an Internet Service Provider or a telecommunications company, could affect multiple customers–and multiple insureds–at the same time.

Ms. Freeman suggested that there were two ways for insurers to evaluate such a risk in their own portfolios. One way is to nail down how many of a carriers insureds are working with one particular provider. The other–”more proactive way”–is to look at the providers themselves and do some sort of due diligence on them as part of the underwriting process, she said, suggesting that “the quality of redundancies” of external providers be assessed along with a potential insureds internal network security.

“The contingent business interruption exposure, or liability that comes to you from [critical service providers] failure, could be very substantial,” she said.

A member of the conference audience had another aggregation issue for the panelists to ponder. “How do you assess the risk of your assessment partners and the quality of work they do?” he asked, referring to information security specialists that work with the insurers to assess the risks theyre taking on (in many cases, at no cost to the insured.)

Elaborating on why he saw this as an aggregation issue, the questioner insisted, “You cant just take what theyre doing at blind faith. I dont know how good a job Ernst & Young is doing,” he said, referring to one of the Big Five firms that insurance representatives cited as having an information security practice which provide assessments to them. “I also dont know how good CyberCop is?” he said, referring to an online vulnerability assessment service.

“Theres your single point of failure. What if theres a major flaw in that and everyone in the room thats an underwriter is using it–and we put millions of dollars at risk?”

“The risk assessment is only as good as the person doing it,” said Brian Brown, regional manager of e-Business Solutions for Zurich North America, noting that his company typically accepts written assessments provided by the information security practices of the Big Five firms.

In addition, he said there are smaller, boutique firms across the country. Many are centered around Washington because a lot of information security experts come from the military and the “real” alphabet houses, he said, referring to the FBI and CIA. “The quality of the work put out by many of these people is quite adequate for underwriting purposes,” he said.

Carol Zacharias, counsel and managing director for CNA Pro in New York, told the questioner: “I am very suspicious, as you are, about it. Weve been taking a very hard look at it, [but] I dont think theres any answer because there arent enough claims. You dont have these people providing a product until there have been claims. You dont have trends to look at.”

Later, she said, the real challenge for the industry is not in adapting coverage to insureds as their needs change–the main topic of the panel. “It is how in the world we are going to devise the underwriting process,” she added, referring again to the question on assessing security partners.

Reproduced from National Underwriter Property & Casualty/Risk & Benefits Management Edition, September 10, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.

Contact Webmaster