- Email: [email protected]
High technology risks — The limitations of insurance
S< qA ..... N R.I:,i;!. HIGH T E C H N O L O G Y RISKS -
....
.M N
THE L I M I T A T I O N S OF INSURANCE
There will be many such demarcation problems in the futu~e and the onty solution is a complete restructuring oi t'~
risks, others are nce. It is inevitable, should have many (but not all) of the limitations outlined below. The o which insurance is blindly seen particular risk.
THE KEY LIMITATIONS Insurance is only an adequate solution as long as certain prerequisites are satisfied. The most important are that:
THE RISK IS IDENTIFIED I shall deal with this question in a future issue. A PIGEON HOLE CAN BE FOUND Few insurers carry all of the risks that they accept: they in turn insure against the risks of large claims on one or an aggregate of policies by means of a specialist form of cover; the reinsurance contract. Thus the whole insurance industry, from the training and authority of the primary underwriters through to the wording of the all important reinsurance contracts, is sub-divided into a number of risk areas. Physical damage risks will be written by one underwriter on one policy form and reinsured by a particular reinsurance policy,'fraud risks by a different underwriter on a different policy, reinsured on a separate reinsurance policy, and so on. The insurance market is thus vertically geared to demarcation lines that follow the overt cause of loss, and the majority of the boundaries were established several decades ago. This not only means that it is much more difficult to obtain cover that transcends the traditional boundaries, but it also may not be possible for the user to identify the cause of the loss, only the consequences. Did the problem emanate from the hardware, the software or an operator error-? • The purchaser of a new computer system began to suffer from loss of data several months after commissioning. Each of the parties involved, hardware manufacturer, software house and DP department, denied responsibility, and passed the blame on to the other two parties. Finally, at great cost, an independent consultant was called in. It was only after lengthy investigations that the true cause was found buried in a highly protected part of the program: a logic bomb used by the software house for "credit control", gradually erasing data unless countermanded by a secret code that would be hidden in a routine update supplied once the program was fully paid for. A dispute over non-performance of another part of the program had caused payment to the withheld, and thus the logic bomb operated as planned. With only some risks insured, and several insurers involved, the Insured had had to spend a great deal of money to identify the exact cause of the loss, as the policies in force related to defined causes. In this case, the fee was wasted as the risk was uninsured. (although there was a recourse against the software house).
DISCLOSING THE FACTS It is a requirement of all insurance policies that all material facts are disclosed to insurers, at the inception of the policy, at each renewal and, to a lesser extent, throughout the period of the policy. A material fact is information which would influence the judgement of a prudent insurer in determining whether he will accept the risk, and, if so, the terms and conditions that he would require. The insured is deemed to know every circumstance which in the ordinary course of business ought to be known by him. However, it is not necessary for the insured to disclose facts that the underwriter may be presumed to know, or which are common knowledge. Failure of the insured to observe his duty of disclosure entities the insurer to avoid tile contract. Clearly therefore insurance is not a way of removing bad risks,
32
4~:,
r
COHI)IiTI~It,~ tAW AND $|TCLIt,~ItY RJ~TPORT
unless the nature of the risk is fully disclosed to insurers. If, for example, there are no adequate back up procedures and data is lost insurers may be entitled to avoid a claim, even though a specific question was not asked on the proposal form. The duty of disclosure must also be considered in conjunction with the duty of care, discussed below. TAKING REASONABLE CARE
There is usually a specific policy condition requiring the insured to take reasonable care, and again violation of this condition will entitle the insurer to avoid any relevant claims under the policy. However, as was demonstrated in the Hogg Robinson report, Computer Security in Practice, the standards in many computer installations fall below those that may be considered to be reasonable, and consequently the validity of the insurance covers protecting those installations must be questioned.
11988-89! 4 CLSR
However, the impact of a disaster (which could include the temporary loss of vital hardware) cannot be underestimated, nor can it be quantified in purely financial terms and thus insured. Computer disasters can destroy or debilitate the impetus of a company, whose whole management attention has to be turned away from its corporate aims and concentrated solely on recovery. They can seriously affect the company's goodwill, with its customers, its suppliers and with the general public. They can have a traumatic effect on the personal lives of its management and employees; to quote the managing director of one company that survived a disaster, "'despite all the lessons that we have learned, we would not survive a second disaster because our staff just would not tolerate all the extra demands that were made on them". Once vital market share has been lost, or the technological lead conceded to competitors the lost ground may never be regained.
PROVING THE LOSS
Insurance can only apply to measurable losses. You can insure against someone destroying your data because the cost of recreating that data can be estimated in advance and measured at the time of the incident. If a competitor accesses your data and utilises, the information to amend their marketing strategy, undercut your tenders or take your new product ideas, how do you prove precisely what losses you have sustained? What sales you have lost, or what contracts you have failed to secure? Computer risks have many similar problems, exacerbated because so few loss adjusters (appointed by insurers independent investigators of complex losses) have any understanding of, or specialisation in, computer technology. AGREEING THE MEANING
Marine insurance has fewest disputes on the meaning of the policy. The policy forms and clauses have been in use since the beginning of insurance history and virtually every phrase has been tested by the courts. Most computer policies are adaptations of wordings that pre-date current computer technology. For example, to express cover for "corruption of data" most insurers, providing cover from their engineering departments, used a word from old engineering insurance terminology: "distortion". The source of this word goes back to engineering insurance roots: cover the distortion of steam pressure vessels. Even those insurers that accept computer terminology play safe and use both words together. There are many similar examples, such as the use of the phrase "recompiling data" to refer to data reconstruction, whereas "compiling" when used in a DP context refers to a software related process. This confusing use of the terminology occurs in a part of the policy that is unclear as to whether software recreation costs are included, and adds further to the confusion, The net result of such bad use of terminology is that most computer policies are full of grey areas: words that do not exactly relate to the new technology, or its language, and yet which are untested by the courts. The last resort in an insurance dispute is to determine the intention of the contract, and yet if the underwriter does not understand the technology his intentions must have been unclear. TAKING THE MONEY
Insurance cannot prevent the loss: it can only provide you with some form of financial compensation. Most physical property can be replaced, and thus money from the Insurer to pay for its replacement is a satisfactory recompense for its loss.
YOU PAY IN THE END!
Insurance is not the answer to risks that could produce recurring losses, as the insurer will react by increasing the premium that should still enable it to make a profit if the historic losses are repeated. Changing insurer will not help as the losses that have been sustained have to be disclosed to any potentially new insurer, who will react in a similar manner. CONCLUSIONS
Given the limitations discussed above, it can be seen that the most damaging characteristic of insurance is that it can introduced a false sense of security. "'1 do not need to spend money on computer security because I have a computer policy'" or "1 have done all that my insurers have recommended; I do not need to do any more". The general limitations of computer insurance are often ignored. Just as many companies are happy just to have "a computer policy", regardless of its relevance to their computer risk. This process is encouraged by the insurance industry, which has absolute confidence in its products as being the sole answer to computer risks: • In 1986 one insurance group ran an advertising campaign in the insurance trade press and aimed at insurance brokers, to announce its new computer cover. The campaign took the form of a mini story, told by a series of cartoons. In a DP department in which the managing director is allowed to wander in smoking a pipe, cups of tea rest on the CPU and back ups are unheard of, the managing director expresses his concern at the company's dependance on its computer. The sole solution offered is to take out the new insurance policy. The computer then suffers a dramatic breakdown/explosion that destroys most of the hardware. In the final scene the company has completely recovered from the disaster and the managing director is congratulating the DPM for having insured the risk. The advertisement contains no comment on the adverse risk features that have been unintentionally shown by the cartoonist, and the implied message is that insurance is the only answer to the managing director's concern. It is no longer sufficient merely to insure computer risks: responsible action can only consist of an identification and understanding of the risks that are being run, covert as well as overt, and an in depth understanding of the insurance protection available, and its relevance to"those risks. David Davies Risk Management Editor
33
....
.M N
THE L I M I T A T I O N S OF INSURANCE
There will be many such demarcation problems in the futu~e and the onty solution is a complete restructuring oi t'~
risks, others are nce. It is inevitable, should have many (but not all) of the limitations outlined below. The o which insurance is blindly seen particular risk.
THE KEY LIMITATIONS Insurance is only an adequate solution as long as certain prerequisites are satisfied. The most important are that:
THE RISK IS IDENTIFIED I shall deal with this question in a future issue. A PIGEON HOLE CAN BE FOUND Few insurers carry all of the risks that they accept: they in turn insure against the risks of large claims on one or an aggregate of policies by means of a specialist form of cover; the reinsurance contract. Thus the whole insurance industry, from the training and authority of the primary underwriters through to the wording of the all important reinsurance contracts, is sub-divided into a number of risk areas. Physical damage risks will be written by one underwriter on one policy form and reinsured by a particular reinsurance policy,'fraud risks by a different underwriter on a different policy, reinsured on a separate reinsurance policy, and so on. The insurance market is thus vertically geared to demarcation lines that follow the overt cause of loss, and the majority of the boundaries were established several decades ago. This not only means that it is much more difficult to obtain cover that transcends the traditional boundaries, but it also may not be possible for the user to identify the cause of the loss, only the consequences. Did the problem emanate from the hardware, the software or an operator error-? • The purchaser of a new computer system began to suffer from loss of data several months after commissioning. Each of the parties involved, hardware manufacturer, software house and DP department, denied responsibility, and passed the blame on to the other two parties. Finally, at great cost, an independent consultant was called in. It was only after lengthy investigations that the true cause was found buried in a highly protected part of the program: a logic bomb used by the software house for "credit control", gradually erasing data unless countermanded by a secret code that would be hidden in a routine update supplied once the program was fully paid for. A dispute over non-performance of another part of the program had caused payment to the withheld, and thus the logic bomb operated as planned. With only some risks insured, and several insurers involved, the Insured had had to spend a great deal of money to identify the exact cause of the loss, as the policies in force related to defined causes. In this case, the fee was wasted as the risk was uninsured. (although there was a recourse against the software house).
DISCLOSING THE FACTS It is a requirement of all insurance policies that all material facts are disclosed to insurers, at the inception of the policy, at each renewal and, to a lesser extent, throughout the period of the policy. A material fact is information which would influence the judgement of a prudent insurer in determining whether he will accept the risk, and, if so, the terms and conditions that he would require. The insured is deemed to know every circumstance which in the ordinary course of business ought to be known by him. However, it is not necessary for the insured to disclose facts that the underwriter may be presumed to know, or which are common knowledge. Failure of the insured to observe his duty of disclosure entities the insurer to avoid tile contract. Clearly therefore insurance is not a way of removing bad risks,
32
4~:,
r
COHI)IiTI~It,~ tAW AND $|TCLIt,~ItY RJ~TPORT
unless the nature of the risk is fully disclosed to insurers. If, for example, there are no adequate back up procedures and data is lost insurers may be entitled to avoid a claim, even though a specific question was not asked on the proposal form. The duty of disclosure must also be considered in conjunction with the duty of care, discussed below. TAKING REASONABLE CARE
There is usually a specific policy condition requiring the insured to take reasonable care, and again violation of this condition will entitle the insurer to avoid any relevant claims under the policy. However, as was demonstrated in the Hogg Robinson report, Computer Security in Practice, the standards in many computer installations fall below those that may be considered to be reasonable, and consequently the validity of the insurance covers protecting those installations must be questioned.
11988-89! 4 CLSR
However, the impact of a disaster (which could include the temporary loss of vital hardware) cannot be underestimated, nor can it be quantified in purely financial terms and thus insured. Computer disasters can destroy or debilitate the impetus of a company, whose whole management attention has to be turned away from its corporate aims and concentrated solely on recovery. They can seriously affect the company's goodwill, with its customers, its suppliers and with the general public. They can have a traumatic effect on the personal lives of its management and employees; to quote the managing director of one company that survived a disaster, "'despite all the lessons that we have learned, we would not survive a second disaster because our staff just would not tolerate all the extra demands that were made on them". Once vital market share has been lost, or the technological lead conceded to competitors the lost ground may never be regained.
PROVING THE LOSS
Insurance can only apply to measurable losses. You can insure against someone destroying your data because the cost of recreating that data can be estimated in advance and measured at the time of the incident. If a competitor accesses your data and utilises, the information to amend their marketing strategy, undercut your tenders or take your new product ideas, how do you prove precisely what losses you have sustained? What sales you have lost, or what contracts you have failed to secure? Computer risks have many similar problems, exacerbated because so few loss adjusters (appointed by insurers independent investigators of complex losses) have any understanding of, or specialisation in, computer technology. AGREEING THE MEANING
Marine insurance has fewest disputes on the meaning of the policy. The policy forms and clauses have been in use since the beginning of insurance history and virtually every phrase has been tested by the courts. Most computer policies are adaptations of wordings that pre-date current computer technology. For example, to express cover for "corruption of data" most insurers, providing cover from their engineering departments, used a word from old engineering insurance terminology: "distortion". The source of this word goes back to engineering insurance roots: cover the distortion of steam pressure vessels. Even those insurers that accept computer terminology play safe and use both words together. There are many similar examples, such as the use of the phrase "recompiling data" to refer to data reconstruction, whereas "compiling" when used in a DP context refers to a software related process. This confusing use of the terminology occurs in a part of the policy that is unclear as to whether software recreation costs are included, and adds further to the confusion, The net result of such bad use of terminology is that most computer policies are full of grey areas: words that do not exactly relate to the new technology, or its language, and yet which are untested by the courts. The last resort in an insurance dispute is to determine the intention of the contract, and yet if the underwriter does not understand the technology his intentions must have been unclear. TAKING THE MONEY
Insurance cannot prevent the loss: it can only provide you with some form of financial compensation. Most physical property can be replaced, and thus money from the Insurer to pay for its replacement is a satisfactory recompense for its loss.
YOU PAY IN THE END!
Insurance is not the answer to risks that could produce recurring losses, as the insurer will react by increasing the premium that should still enable it to make a profit if the historic losses are repeated. Changing insurer will not help as the losses that have been sustained have to be disclosed to any potentially new insurer, who will react in a similar manner. CONCLUSIONS
Given the limitations discussed above, it can be seen that the most damaging characteristic of insurance is that it can introduced a false sense of security. "'1 do not need to spend money on computer security because I have a computer policy'" or "1 have done all that my insurers have recommended; I do not need to do any more". The general limitations of computer insurance are often ignored. Just as many companies are happy just to have "a computer policy", regardless of its relevance to their computer risk. This process is encouraged by the insurance industry, which has absolute confidence in its products as being the sole answer to computer risks: • In 1986 one insurance group ran an advertising campaign in the insurance trade press and aimed at insurance brokers, to announce its new computer cover. The campaign took the form of a mini story, told by a series of cartoons. In a DP department in which the managing director is allowed to wander in smoking a pipe, cups of tea rest on the CPU and back ups are unheard of, the managing director expresses his concern at the company's dependance on its computer. The sole solution offered is to take out the new insurance policy. The computer then suffers a dramatic breakdown/explosion that destroys most of the hardware. In the final scene the company has completely recovered from the disaster and the managing director is congratulating the DPM for having insured the risk. The advertisement contains no comment on the adverse risk features that have been unintentionally shown by the cartoonist, and the implied message is that insurance is the only answer to the managing director's concern. It is no longer sufficient merely to insure computer risks: responsible action can only consist of an identification and understanding of the risks that are being run, covert as well as overt, and an in depth understanding of the insurance protection available, and its relevance to"those risks. David Davies Risk Management Editor
33