Corporations may be compelled to buy specialized insurance to protect themselves against damages from computer viruses because reinsurers are excluding those losses from catastrophe coverage in property and casualty policies.
Reinsurers began putting exclusions for virus claims into their treaty reinsurance contract renewals in January, says Jill Dalton, North American property practice leader at Marsh & McLennan. More are expected to follow at the July 1 renewal period, meaning corporations will likely get the news soon.
"The direct (insurance) markets will follow through with exclusions for our clients," Dalton says.
Recommended For You
U.S. companies have already discovered problems in their traditional coverage when it comes to cyberrisk. One of the biggest is that property insurance requires a "direct physical loss," and many insurers argue that damage to electronic data doesn't fit that description.
Many European insurers already have confronted U.S. companies that have overseas property coverage with exclusions for computer virus losses, says Michael Rossi, president of the Insurance Law Group in Glendale, Calif. He expects U.S. carriers to add the exclusions in property policies in the coming months.
The trend is good news for the spate of insurers that have been introducing cyber-protection lines and have received mostly lukewarm responses to date.
Phil Norton, president of the professional liability division of insurance broker Arthur J. Gallagher, says the leaders in providing broad cyber coverage are AIG, Zurich, Lloyds of London and, for financial institutions, Chubb.
Pricing varies depending on a company's Internet exposure, but a broad-based policy would cost about $17,000 per $1 million of coverage, he says.
Fraud and the Enemy Within
When Web site security company VeriSign discovered it had issued digital authentication certificates to someone fraudulently claiming to represent Microsoft last January, it quickly revoked the authorization.
The person could have marketed software using the Microsoft name or distributed destructive software under the company's rubric. The incident caused alarm among IT risk managers worried about outside attacks on their systems.
However, security experts say the focus may be misplaced.
"The vast majority of information-protection breaches comes from inside the company," says Chris Zoladz, vice president of information protection at Marriott International in Bethesda, Md. "They are able to understand the system and exploit the soft spots."
Few corporations will publicize such inside breaches, but informal surveys indicate the problem is growing. J. Russell Gates, managing partner of risk consulting at Arthur Andersen in Chicago, estimates that insiders represent 60% to 75% of the threat to a company's information security, although "the external incidents are more visible."
As the reality of such threats sinks in, corporations are increasingly creating "information protection" positions such as the one Zoladz holds. "This specialty is in its infancy," says Zoladz, who assumed his title in August 1999. Previously, he ran the hotel chain's information resources audit group.
Another sign of the new awareness: Membership in the Financial Information Protection Association grew 25% last year.
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
