These bulletins are emailed to clients and friends prior to being posted online. If you would like to be on our mailing list, please send us a request via email. Thank you.

These bulletins are sent to those who've expressed interest. If you don't wish to continue, please press reply and insert the word "remove." Thank you.

COMPUTER SECURITY IS NOT A BLACK HOLE

"Can you give us a guarantee?"

The need for computer security isn't going away - in fact it is intensifying. Technology is facilitating more efficient and faster ways to commit old crimes, and the sophistication of the tools means a criminal needs fewer skills. It's relentless and complex .

It might seem that your alternatives are:

• Put all your cash in a canvas bag and deliver it to your favorite computer security firm
• Hide the small losses from your boss (or the board) and keep your resume fresh in case of the big one

What's so hard about this? Why not simply hire a security firm and implement the recommendations? Because there are so many areas of vulnerability that the cost can become almost infinite, and while we work on one particular threat, a new, more serious one will present itself. Add to that the fact that no security firm (as of now) will take responsibility for a security failure, i.e. remove the limitation of liability from its contract. There is, though, a process that works.

A LOGICAL APPROACH

The only viable method is one that involves focus. That is, security funding can't be wasted on a scattershot approach -- the funds will be exhausted and multiple holes will remain. The system can be defined by two simple rules: 1) go where the insurance isn't; and 2) don't mitigate the insurer's risk.

This can be titled the "CFO Approach" or the "Risk Management Approach." Computer security risk is like other risk the firm faces. It is amenable to risk management techniques: identify, transfer and finance the risk. The fourth component is loss control which is the work of the security firm.

Look at risk from the top down, rather than from the bottom up. Identify the risk -- consultation with a security firm will be of help. The risk then needs to be funded (usually by insurance). If the loss could be absolutely prevented, insurance would not be necessary. Get an ABSOLUTE GUARANTEE from a deep- pocketed security firm before you count on this (it's not going to happen). The serious answer is to use the security service to protect where you cannot get insurance coverage, and to negotiate a better deal with the insurer.

GO WHERE THE INSURANCE ISN'T

Where the potential loss is covered by insurance, security can be set at a lower priority. What is the higher priority? -- where we are bare. Example: most security firms will tell you that the internal threat - your own employees - is greater than the external threat. They will then of course suggest you need to spend a good percentage of your security dollar on that exposure. The problem (or solution) is that most "Employee Dishonesty" insurance does not exclude loss carried out through the use of computers or networks. Most businesses have been carrying (and still do carry) employee dishonesty coverage to protect against the old fashioned embezzlement scheme. So, though the internal threat is a big exposure, it may be fully covered. The prioritization process will allow you to more effectively allocate your security spending to other areas.

Is it black and white? Of course not! Employee dishonesty covers theft, not malicious damage. There is still need to protect against, say, intentional destruction of data by an employee.

Here are other examples from the field:

• A "Computer Fraud" policy. This covered theft via electronic means by a non-employee. What was not covered (and the area for focusing security efforts): theft of intellectual property -- where the need may be for example encryption -- and denial of service type attacks.
• An "EDP" policy. It covered data for virus and hacking, but did not cover human error such as accidental erasure and mistake in programming. Would the focus be on employee training rather than securing the data by firewalls, etc?

DON'T MITIGATE THE INSURER'S RISK

This would be better titled "Don't mitigate the insurer's risk without being paid for it." In other words, it may be necessary or even desirable to secure an area that is in fact insured, but this should result in a premium reduction or an improvement in coverage terms. This is a delicate negotiation with the insurer. Some of them don't want to know too much . They are "class underwriters." Their underwriting process is based on spread of risk - large numbers of homogeneous exposures. Given a big enough pool, the individual characteristics of insureds fade in importance. These insurers are usually involved in the smaller accounts. Other insurers are more sophisticated and more suitable for a true partnership: "We will buy the insurance from you, you will make security recommendations, we will execute them, you will give us a large premium reduction," and so on.

So security and insurance are closely intertwined. The most effective approach involves the following steps:

1. Identify the exposures; the risk manager will need to associate with a security firm to do this.
2. Negotiate insurance coverage. Concentrate more on the severity rather than the frequency potential. This is an alternative way to calculate (or estimate) a return on security investment. Insurers have the most extensive loss databases. The value of the loss exposure is the cost of the insurance. Can security replace or reduce that number?
3. Engage a security firm for where the insurance isn't; a corollary: engage security to drive a better insurance deal.

Give and take, back and forth; it's is a continual process. This is a dynamic area.

Given the inevitability of losses, you'll be judged not by whether you were the victim of an event, but by how well you planned for it.

(C) 2002 Licata Kelleher Risk and Insurance Advisers, Inc. Permission granted for distribution as is (with full attribution).

Contact us for risk management strategy and implementation.

Licata Kelleher is a risk management and insurance advisory firm. The firm does not sell insurance, but does counsel clients on the effectiveness of insurance, on reducing the cost of insurance and on the risk management process.

The above is intended to be general information, and should not be construed as specific recommendations.

Other Articles:

"LET'S BE CAREFUL OUT THERE" -Fall 2002

WHAT WARREN BUFFET KNOWS ABOUT
INSURANCE COMPANY FINANCIALS-Spring/Summer 2002

OPPORTUNITIES ABOUND IN DEVELOPMENT
OF CONTAMINATED PROPERTIES -Spring 2002

"YOU CAN'T PAY US THIS MONTH?
WHAT DO YOU MEAN 'NEW DEVELOPMENTS?" Winter 2001

WORLD TRADE TERRORISM --
REPERCUSSIONS FOR INSURANCE MARKET-Fall 2001

ENERGY AVAILABILITY: CURRENT REALITY OR FOND MEMORY?
-Summer 2001

"HOLD THAT BALLOT UP TO THE LIGHT" -Spring 2001

Back