Articles
One relevant article is from a financial magazine called Reactions
(for the full article, their website is www.reactionsnet.com).
"Preventing the Chain
Reaction", April 2003 by Russ Banham is a comprehensive article on
recognizing that a company's information system is often the most valuable
asset, but as the systems are more complex and inter-linked, the more
vulnerable the system becomes.
The Article address some import new revelations
about managing the risks company networks and client data are exposed
to. Below are some highlights:
"Corporate
Performance Management (CPM) is the new buzzword among many corporations.
This tool links disparate technology systems within a company, allowing
managers to see how the whole company is performing and the individual
divisions to share information. Data is pushed and pulled across the
enterprise – from sales to human resources (HR) to production to finance
and back. Now imagine if one of these systems is corrupted – infected
with a virus that alters the data or destroys it.
In the old days (read: last year), only the infected system would be shut
down. But in the new era of CPM, the entire company’s information assets
are at risk."
The threats of malicious code from hackers, threats from employee
errors or malicious activity from internal or external sources have never
been greater. Just ask an IT manager responsible for restoring a
hard drive or cleaning up a virus or a worm. The costs to get a
system up and running are accelerating, the costs to defend customer and
client claims against defamation and privacy rules are accelerating.
"According
to a survey by Computer Security Institute, a trade group of computer
security experts, 85% of the 538 companies polled detected computer
security breaches in 2001, and 64% said the attacks caused a large
financial loss. A single denial-of-service attack against several large
e-commerce sites in early 2000, among them Amazon.com and eBay, shut down
the sites for two days, costing the damaged companies $1.2bn."
The
article outlines a recent example of a bank who was exposed to a virus
that acted like a denial-of-service attack. There were several
consequences including the ATM network going down. This is a good
example of how the interconnectedness of systems are creating an ever
bigger exposure.
Where
to go for relief? "But
victims of cyber-crime should not expect compensation from standard
property/casualty insurance policies. These do not provide coverage
against cyber-perils." The court cases have begun to
speak. Ever since Micro versus American Guaranty & Liability
Insurance Company has had the outcome of changing insurance policies to
specifically exclude intangible assets.
Dave
Morrow, deputy director for global security and privacy services at EDS,
an information services company in Texas, is quoted as saying,
"People think the culprits are always hackers, but we in the
technology security business know the real threat is the insider – some
disgruntled employee with an axe to grind who knows the IT systems and how
to undermine them,” he explains. “The chances of them doing enormous
damage are far greater than the stories you read about.”
"Although
cyber-insurance has jumped in cost during the hard market because of
higher reinsurance premiums, foregoing coverage is unwise. So says
President Bush: The National Strategy to Secure Cyberspace report issued
by the White House recommends cyber-insurance “as a means of
transferring risk and providing for business continuity”.
The
article ends with a note that some Directors' and Officers' Liability
(D&O) policies state that if the company doesn't maintain a
cyber-liability policy protecting against cyber-risks and related business
interruption losses, the D & O coverage is excluded.
|