YOU ARE HERE: LAT HomeCollections

SMALL BUSINESS | Financing and Insurance

E-Commerce Can Open New Doors to Hacker Intrusions

January 06, 1999|JUAN HOVEY

As electronic commerce becomes commonplace, businesses large and small recognize the potential of reaching vast numbers of customers at a fraction of the cost of ordinary marketing.

What they may not see, however, is that doing business over the Web can open any company to the risk of computer hacking. Even a single attack can prove devastating, with damage running into millions of dollars.

Now a handful of insurers are offering protection against the risks of e-commerce. Although the coverage is new and somewhat costly, it makes sense for business owners to check it out before venturing deeply into cyberspace.

What are the risks of e-commerce? Hackers, who could include your own employees, might:

* Intrude into your computer files and destroy them out of malice.

* Steal your inventory, cash, trade secrets and other assets.

* Inject a virus into your Web site, rendering it inaccessible to your customers and perhaps even infecting your customers' computers.

* Swipe your customers' credit card numbers.

As you can see, hackers can wreak havoc on you and your customers alike. Those are two good reasons why, despite the high expectations to the contrary, e-commerce has yet to explode.

Sensing a demand for protection, some large U.S. insurers, including St. Paul, Cigna, Reliance National and AIG, recently began offering policies to cover some of the risks associated with e-commerce. Coverage also is available through Lloyd's of London, and other insurers are likely to begin offering it soon.

But like cyber-business itself, e-commerce coverage is new to the insurance industry. Thus, insurers are proceeding cautiously.

For one thing, coverage isn't cheap. Premiums start at around $2,500 annually and rise quickly from there. Additionally, insurers aren't about to take on bad risks. That means they'll require you to demonstrate that you use state-of-the-art security to protect your computers against attack.

The St. Paul and Cigna policies protect the business against first-party losses. Those are losses suffered by the business itself from damaged software, stolen business data or other hacker mischief.

The Reliance National coverage protects the business from third-party claims--for example, losses experienced by customers whose credit card numbers are stolen through your site.

The AIG coverage protects against both first-party losses and third-party liability claims. Cigna expects to add third-party liability protection early this year. Other insurers are likely to follow in the near future, which should help to bring down the price and expand the coverage.

At some point, the coverage might even be included in those cookie-cutter umbrella policies marketed to small and mid-sized companies by most mainstream insurers.

Until then, business owners should think as carefully about buying the coverage as insurers do about offering it, according to Richard Power, an analyst with the Computer Security Institute in San Francisco, a professional organization of information technology specialists.

Power says you must substantiate a claim by proving that your losses were caused by hacking, not by an ordinary computer glitch. That's not always easy to do. It's also difficult to prove the loss of such intangibles as trade secrets, he adds.

"If you're doing serious electronic commerce and you can prove that your system has been penetrated, you will have done a smart thing by getting the insurance," Power says. "But there are a lot of ifs."

In the fast-moving world of technology, secure today doesn't mean secure tomorrow, Power says. Hackers make it absolutely necessary that any company doing e-commerce keep security an ongoing commitment.

"People are buying over the Web, but crime is increasing too," Power says. "The victims are not consumers, but businesses. Insurance is a good thing to have if you're doing business over the Internet, but it can't replace first-class security."


Freelance writer Juan Hovey can be reached at (805) 492-7909 or via e-mail at

Los Angeles Times Articles