‘Evolution of Risk’ – Business Insurance

‘Oh, what a tangled web we weave…”

When that quotation was published in the early 19th century, Sir Walter Scott was surely not thinking about the risk exposures that would be created by technological advancements and e-commerce. He could not have imagined the accumulation and exchange of vast amounts of sensitive information in cyberspace. And while he spoke of deception, Sir Walter, a Scottish poet and novelist, likely didn’t foresee a rise in identity theft 200 years into the future.

Welcome to 2005. Several major corporations-ChoicePoint Inc., Bank of America Corp. and a unit of the Lexis-Nexis Group among them-have announced security breaches that have compromised the personal information of their clients and customers.

Amid these incidents, which affected hundreds of thousands of individuals, brokers and insurers see a growing market for insurance policies that cover risks related to network security, privacy breaches and identity theft.

“We’re seeing evolution of risk,” said Bob Parisi, New York-based senior vp at National Union Fire Insurance Co. of Pittsburgh, Pa. When cyber policies were first introduced in 1999, much of the risk was vandalism. Now, the exposure is large-scale, organized thefts for commercial purposes, Mr. Parisi said.

Most existing commercial general liability, professional liability, errors and omissions and even some technology policies aren’t keeping pace with the developing exposures.

Brokers, Mr. Parisi said, must consider “the new alternatives and options that can help your client transfer the risk. If you haven’t upgraded your coverage, you’re probably not covered,” he said.

The marketplace will continue to offer more options, predicted Michael P. Dandini, assistant vp for the technology unit at Hartford Financial Products in Hartford, Conn. “We see companies that haven’t played in this area previously trying to do so and putting forms out there that meet these needs,” he said.

Because it can be difficult to isolate network security from privacy breaches and identity theft, most of the new offerings are aimed at multiple risks.

Emily Freeman, senior vp of London-based Jardine Lloyd Thompson L.L.C., said, “You don’t just insure identity theft. You insure a wide range of torts, including identity theft.”

“Many people equate them as one type of event,” said Mr. Parisi. “They are very different but often can be related,” he said, noting, for example, that a security breach can lead to identity theft or privacy infringement.

Awareness of these exposures is increasing as regulators and legislators at both the federal and state levels take more steps to protect citizens’ privacy and hold corporations accountable for safeguarding sensitive personal information in their databanks. That awareness has commercial policyholders and individuals alike looking for safety nets.

“The consequential loss is large” in identity theft incidences, whether the impact is to the consumer’s damaged credit rating or to the financial institution that may have to close compromised credit accounts, said JLT’s Ms. Freeman.

“In the beginning, e-commerce companies were concerned about issues such as trademark and copyright,” said Laura Johnson, a Kansas City, Mo.-based vp at managing general agent Euclid Managers L.L.C. “A lot of those clients are now looking to have security coverage.”

The same is true of other types of companies, including application service providers that handle information belonging to other businesses, Ms. Johnson said.

Companies on notice

Several factors are converging to spur the growth in demand for insurance.

“People are becoming very much more aware of their privacy rights,” because everyone is hearing about more incidents of privacy breaches and identity theft, noted National Union’s Mr. Parisi.

In turn, those incidents are leading to “a lot of legislative heat and light about this,” said JLT’s Ms. Freeman.

That increased legislative interest could result in the federal government and many states enacting legislation modeled after a California law that requires corporations to notify customers when information security breaches occur, insurers and brokers say. Congress could follow up the privacy provisions in the Health Insurance Portability & Accountability Act and in the Gramm-Leach-Bliley law with legislation that puts restrictions on far more industries than health care and financial services, these executives say.

Once you have a requirement to warn, it draws a connection between consumers and the source of their identity theft, Ms. Freeman said. When individuals know how their identities were stolen, then they see a responsible party to sue, she said.

The effect of California’s law really is felt far beyond the state’s borders, Mr. Parisi said, because “companies are not going to tell only their California clients.” Businesses “recognize that there really is a duty of care” owed to their customers, he said.

The duty of care that companies have to customers in terms of privacy and security statements is being closely watched by the Federal Trade Commission, said Ms. Freeman. “It’s a deceptive trade practice if the promise doesn’t meet reality,” she said.

All of this has put companies on notice.

“General counsels at corporations now are concerned,” said Mr. Dandini of Hartford Financial Products. “Companies with larger networks have been thinking about it (for some time); now midsize and smaller businesses are getting more aware.”

“Boards and audit committees are asking deep questions,” Ms. Freeman noted.

The answers may not be what they want to hear.

For example, many insurers will cover identity theft that is committed by a third party, but not by one of the policyholder’s employees, said Euclid’s Ms. Johnson. Many E&O policies would respond in the same way.

“Data is not tangible property,” said Ms. Freeman of JLT, so traditional general liability coverage does not respond.

To be effective in today’s world, “coverage must address the risk to people, processes and technology,” she said.

New and updated products

The Enterprise Privacy policy for U.S. financial and health care industries introduced last month by Jardine Lloyd Thompson L.L.C. and JLT Risk Solutions Ltd., units of Jardine Lloyd Thompson Group P.L.C., covers a company even if an employee perpetrates the security breach or identity theft. “The innocent insured provides severability,” Ms. Freeman said. “That’s really essential.”

The product covers third-party privacy suits arising from an insured’s breach of privacy under federal laws such as Gramm-Leach-Bliley and HIPAA, as well as state privacy laws. It also includes network security, which covers legal liability and the cost for claims due to computer attacks caused by security failures, including identity theft and client information theft; and regulatory fines and penalties, including defense costs. The normal maximum limit is $15 million, but limits of up to $25 million will be considered for the excess lines coverage.

Consumer demand will likely prompt other insurers and brokers to introduce new or updated products.

“You’re going to see the insurance buyers looking for specific things in their forms,” said Ms. Johnson of Euclid.

“A lot of older forms are going to update their language,” she said. “We have the advantage of coming out with new language after having researched the market.”

Euclid Managers’ ClickStream Internet liability and HyperDrive technology liability policies both offer security protection, including protection for a policyholder’s failure to prevent identity theft or credit/debit card fraud. The policies also cover injury from copyright and trademark infringement, as well as errors and omissions protection.

Another insurer addressing this growing area of exposure is Hartford Financial Products. Before developing its new Tera form, which came to the market in 2003, the insurer looked at the e-commerce trend and anticipated the intellectual property, privacy and security risks that would ensue, Mr. Dandini said.

The Tera form gives “small, midsize and larger business expanded coverages as well as E&O-all in one place.”

National Union’s Mr. Parisi said that, among the products addressing these risks, “if there is a cutting edge, it’s really on the privacy front.” The insurer covers privacy breaches related to intellectual property, as well as privacy risks tied to identity theft from internal or external network security breaches and abuse of privileges, Mr. Parisi said.

Brokers and insurers see hefty premium potential in this niche.

The market is likely “huge-the sum total of all businesses that collect information about consumers,” said Ms. Freeman. Mr. Dandini of Hartford said the market opportunity is likely “hundreds of millions of dollars in premiums.”

Sophisticated criminals are forcing corporate America and individuals to be on guard.

A broker assessing a client’s risk needs to look for e-commerce exposure and must determine if there are other technology, privacy or identity theft perils lurking, said Hartford’s Mr. Dandini. Hartford has technology specialists that can help bring such perils to light, he said.

“The risks are different, and traditional coverages are not picking up additional exposures, because they never intended to and are not now,” said National Union’s Mr. Parisi.