The loss or compromise of a company’s valuable data can cost a business dearly. In the US, the recent “Heartland system” example provided an indication of the potential risks involved when it announced that one very large breach (involving 130 million credit card details), resulted in a loss of more than US$32 million – and that’s just in the first half of 2009!

According to American investigators, the methods employed by Albert Gonzalez and his ring of 10 were not very sophisticated after all. What they did was to scan lists of Fortune 500 companies to identify potential victims, gain information about point-of-sale systems used in transactions, and then launch hacking platforms. Gonzalez’s 10 communicated through instant messaging and accessed corporate websites through ‘proxy’ computers, thereby disguising their own whereabouts. They also tested their malware against anti-virus products to ‘foolproof’ their plan.

The potential damage to businesses from cyber crime is tremendous. Many businesses today use systems to interface with customers. These businesses stand to suffer in many ways – a compromise in data security can cause a serious loss of confidence in a financial services institution, leading to losses in revenue. The company may also need to address the security weakness in question, pay damages to customers who were defrauded and who have suffered financially, reissue credit cards, cover investigation and litigation costs, as well as cover the loss of revenue due to business interruptions while investigations are in progress.

Today’s businesses increasingly rely upon external and internal communications networks, which are deemed as critical assets. ‘Critical assets’ is a term used to define a company’s electronic data (business and customer information), software applications, computer programmes/systems, networks and IT infrastructure.

In this day and age, it is difficult to think of any business that does not rely on critical assets for its day-to-day operations. A compromise or attack on a company’s critical assets can seriously debilitate a company’s ability to conduct its business.

To address the challenges of IT downtime and damage to critical assets such as software applications and data, organisations are investing in business continuity. However, no matter how robust an organisation’s prevention strategies, there is no absolute guarantee of safety from threats such as viruses, terrorist attacks, simple operational mistakes or human error.

Most companies have limited insurance to cover operational risks relating to electronic data, applications and computer networks. Property insurance markets are yet to offer coverage for non-physical events. Generally, property policies do not provide effective protection for non-tangible assets such as electronic data. Many specific cyber risk policies offer limited coverage and have uncertain methods of determining loss amounts, often capping limits of liability per hour. Frequently, these policies also contain inadequate limits for contingent business interruption or exclusions that limit coverage for rogue employees involved in computer crime.

A Network Asset Protection (NAP) Policy will fill these critical gaps in coverage. It will cover the company for:

•	Loss of digital assets: coverage for costs incurred in the restoration or replacement of digital assets damaged, destroyed or corrupted as a result of computer attacks, criminal attacks, introduction of viruses, human error and other related perils.
•	Non-physical business interruption/extra expenses/special expenses: coverage for income loss and interruption expenses following computer attacks, criminal attacks, introduction of viruses, human error and other related perils.
•	Cyber extortion threat: coverage for extortion expenses and monies involved in responding to threats to commit computer attacks, introduce viruses and/or destroy digital assets.

Importantly, the policy also includes coverage for accidental damage or destruction to digital assets, arising from administrative or operational mistakes (human error) and costs in areas that you may not have foreseen. Examples include public relations, customer notifications and forensic expenses, which can quickly accumulate to significant sums.

Threats to an organisation can also emanate from within the organisation and it is these which are typically the hardest to control. The NAP policy provides coverage for malicious attacks by rogue employees. The scope of the policy can be extended to cover a business’ exposures worldwide.

Queries/Comments? Write to us!