Creighton University Student, Finance 340 Principles of Insurance
December 01, 2000
The Internet has dramatically changed our society. It has been one of the defining
inventions of our time. The Internet can be used for shopping, communication,
entertainment or research, and all from the comfort of our own homes. This invention
has given birth to a new breed of companies known as the dot-com companies. However,
with this new way of doing business comes a new type of criminal. These criminals are
known as cyber criminals. This paper is aimed at identifying types of cyber crimes,
specifically cyber extortion, credit card fraud, denial of service attacks (DOS), and the
theft of intellectual property. In today’s age of the Internet companies must put a great
deal of thought into how they are going to protect themselves from potential attacks. This
paper will discuss how, by using integrated risk management, a company can lessen their
chances of being victimized by these cyber criminals. Finally, if an attack does occur, a
company must have a way to recover the losses it suffered; this is where a new type of
insurance policy comes into play.
Researching this topic was not that difficult. With all of the recent publicity that the
Internet has been receiving, the only real problem was picking out what aspects of cyber
crime I wanted to deal with. There were many different ways that one could have gone
with this topic. For example, there have been numerous court cases resulting from the
invention of the Internet. There has been much debate over the legal aspect of the
Internet as it pertains to cyber crime. However, this paper takes a different route. The
major portion of this paper is dedicated to the analysis of four different types of cyber
crimes. Specifically, looking at how frequently attacks occur, and the extent of damage
one can expect when faced with a certain type of crime.
Losses that have occurred as a result of cyber criminals are astonishing. The majority of
losses are in the millions. This may be a bit surprising because we don’t hear about every
attack on every company, so we automatically think that these crimes do not occur that
often. However, as this paper shows, cyber attacks occur more often then we realize, and
the companies will do everything in their power to keep the attack quiet. Also included,
is the process of integrated risk management, which to many people’s surprise can
actually help defend a company from these menacing criminals. Finally, insurance
policies in the past have not traditionally covered Internet sites; but with the help of a few
insurance brokers, companies now have a back up plan should they find themselves the
victim of an attack.
There are only a few recommendations that I would give to these e-commerce companies.
First, I would strongly suggest that they use the integrated risk management technique. It
only makes sense that by fostering better communication across all facets of the company,
the company would have better chances of staving off any would be attacks. Second, the
idea of a chief risk officer (CRO) is a good one. It would be in the company’s best
interest to hire a person whose main focus is the potential risk a company may face. Last,
a company must inform all of its employees of its policies on such matters, and what
steps they should take if they discover the company is being, or has been attacked.
Table Of Contents
Executive Summary………………………………………………………... 2
Types of Cyber Crime……………………………………………………… 5
How Can We Stop These Crimes?………………………………………….
We live in an age of constantly changing technology. Today we have luxuries such as
cellular phones, GPS systems in golf carts that tell you exactly how far your ball is from
the pin, and of course increased speed and power for our personal computers. These
conveniences pale in comparison though, to a tool that has affected the whole world. The
Internet has had a huge impact on our lives. It can be used for research, communication,
shopping or entertainment. The Internet has changed how we do business, and has given
birth to a new breed of companies known as the dot-com companies. However, with all
of the growth in the e-commerce world comes a new breed of criminals. These criminals
are known as cyber criminals, and they can bring a large company to a halt from the
comfort of their own home. Cyber crimes range from cyber extortion, to credit card fraud,
to denial of service attacks, to the stealing of intellectual property. With all of these new
types of crimes, and all of the news surrounding these crimes, it seems as if no company
There is some good news though; a company can protect itself from these acts with the
proper procedures; and in the event on an attack, the company can be prepared so that
there is no major loss of business. One way of protection comes in the form of risk
management; namely integrating risk management across the whole company. Should a
company find itself victimized, there must be a way in which the company can recover
losses, and fix the problem in a very timely fashion. This is where a new policy of
insurance comes in. The issue of cyber crime is an issue that is relatively new, and one
that needs to be addressed in order for a company to survive in this new era of e-
Cyber crime is becoming one of the Internet’s growth businesses. According to an article
from BusinessWeek, the FBI estimates computer losses at up to $10 billion a year (2). It
seems as if these types of crimes are far too easy to carry out. The software that aid these
criminals is readily available on the web, all one has to do is point and click. According
to one estimate, “there are 1,900 Web sites that offer digital tools-for free-that will let
people snoop, crash computers, hijack control of a machine, or retrieve a copy of every
key stroke (Sager, et.al., 2000, 3). You don’t have to be a computer super genius in order
to run these programs either. These programs are so simple that an eight-year old could
launch their own attack.
Types of Cyber Crime
One type of cyber crime that is committed all too often is known as cyber extortion.
According to BusinessWeek magazine, cyber extortion bears a remarkable resemblance
to dealing with a real-world kidnapping. First of all, the company must decide if it’s
facing a serious case before it launches a response effort that can cost hundreds of
thousands of dollars. Tim Belcher, chief technology officer of information-security firm
RIPTech, recommends “…clients weigh the value of the damage to themselves vs. the
potential liabilities. A small incident that’s a public embarrassment may very well not
pay to prosecute” (Salkever, 2000, 2). If it has been determined that the cyber extortion is
real, then it is crucial that the company’s decision makers are contacted as quickly as
possible. At this point in time, the company may wish to pursue the offending hackers.
Also, the company will want to analyze the breached areas of their security system so that
there are no more attacks from that entry point (Salkever, 2000, 2).
There are no statistics that identify how many companies are affected by cyber extortion.
One reason for the lack of statistics is that companies do not want to admit to a security
breach. They do not reveal that they have been compromised for fear of future attacks,
and loss of business. “Almost all attacks go undetected-as many as 60%, according to
security experts. What’s more, of the attacks that are exposed, maybe 15% are reported
to law enforcement agencies (Sager, et.al., 2000, 5).
Credit Card Fraud
Credit card fraud is another form of cyber crime, and according to MSNBC, is said to be
the perfect cyber crime. According to Stephen Orfei, vice president for electronic
commerce and emerging technology at MasterCard, the Internet accounts for between 2
and 2.5 percent of total credit card transactions. In 1998 online fraud losses were
between $10.5 million and $13.2 million (Brunker, 2000, 5). “An investigation by
MSNBC has learned that while criminals based overseas now account for up to a third of
all online fraud directed at U.S e-businesses, there is no evidence that a single one of
these crooks has been prosecuted” (Brunker, 2000, 1). It has emerged that these criminals
have been so far untouchable to U.S. law enforcement, which is hampered by the
patchwork of laws on white collar crime in other countries, jurisdictional questions, the
indifference of some governments and the fact that investigation of such a crime is both
time consuming and expensive (Brunker, 2000, 2).
The cards are stolen from either mailboxes, or swiped through a card reader by
accomplices working in a store or restaurant. This information is then transmitted to
thieves overseas, who then start charging as much merchandise as they can in a short
period of time to the Internet merchants. The merchandise is then delivered to vacant
homes or living quarters rented under false names. By the time the e-merchant realizes
the purchase was made using stolen credit cards, the merchandise and the crooks are gone
(Brunker, 2000, 4). There have been improvements in the way that credit cards are
tracked for fraud, but this problem seems to have no immediate and permanent solution.
Denial of Service Attack (DOS)
On February 6, 2000, Yahoo! Inc. was brought to a halt for three hours by a hacker or
hackers. The next day Buy.com was hit, and that same evening eBay, Amazon.com and
CNN had all gone dark as well. As of right now, law enforcement does not know who
committed these crimes, or simply won’t say. What we do know is that these companies
were victims of a cyber crime known as denial of service (DOS). In the attack against
Yahoo!, the hackers commandeered computers at various universities and companies
lacking good security to bring down the targeted site. “With a DOS attack, what you do
is break into a mass number of computers and establish what’s called a zombie program,”
explains Bill Marlow, executive vice president of global Integrity Corp. “The program is
triggered at a certain time or message to access as fast as it can another site or sites”
(Conley, 2000, 22). This basically brings the target site to a halt due to the overload of
visits. It is hard to say exactly how much money a DOS attack costs a company, but if
down for too long, an e-commerce company could lose millions of dollars. However, one
estimate states that in 2000, there have been forty-six incidents, worth a total of $8.2
million in lost money (Harrison, 2000, 1). This figure is up from 1999, which means that
this type of crime is on the rise.
Theft of Proprietary Information
Another form of cyber crime is the theft of proprietary information. In this age of
technology, more and more companies are storing their information in digital form,
approximately 80% (Sager, et.al., 2000 5). This information is very important to
companies, and proved to be the most costly of the cyber crimes, accounting for $66.7
million in losses (Harrison, 2000, 1). In a recent survey conducted by Computer Security
Institute (CSI), of the 273 companies surveyed 70% of them reported theft of proprietary
information (Harrison, 2000, 1). Companies spend a great deal of time and money
gathering all of this information, and need to find better ways to protect against the theft
of such property.
How Can We Stop These Crimes?
These types of crimes are not just going to disappear. There needs to be more done to
protect the companies from such attacks. Attorney General Janet Reno vowed to battle
cyber crime, stating “We are committed to tracking down those responsible and bring
them to justice” and ensuring “that the Internet remains a secure place to do business”
(Sager, et.al., 2000, 4). The United States cannot go at it alone. The companies have to
be prepared to do battle as well. However, it seems as if these companies are still not able
to protect their information. They spend money on complex and expensive security
systems for their actual building and tangible property, but they have to realize that they
need to put as much effort, if not more, into protecting their digital information. The
company must also protect itself from the inside out. There have been cases where the
criminal was one of the employees. In fact, this is the biggest threat. “Law enforcement
officials estimate that up to 60% of break-ins are from employees” (Sager, et.al., 2000, 3).
With all of these cases of cyber crime, it seems as if no company is safe. However, there
are numerous ways that a company can protect itself from attacks; and if an attack occurs
a company must have a contingency plan. The first step for companies is to secure their
systems by locating the hacker programs that could be used in such attacks. Experts also
suggest formal security policies that can be distributed to employees letting them know
how often to change passwords or what to do in case of an attack (Sager, et.al., 2000 ,7).
In addition, devices such as “smart” cards can be used to keep criminals from gathering
information. Criminals can obtain passwords and other vital security information using a
technique known as social engineering. With regards to their actual computer systems,
complex networks and firewalls will help out as well.
Integrated Risk Management
If we are going to stop these crimes, Internet security must be the next growth business.
This is where integrated risk management comes into play. Risk management has
changed dramatically in the Internet age. “In the early 1990s, risk managers began to
assume responsibility for all risks that affect the company-credit, market, operational,
business and organizational-and thus emerged the concept of integrated risk management.
Today, the evolved disciplines enable companies to implement effective and consistent
process for protecting all of their assets” (Hernandez, 2000, 32). One step that a company
must take to defend itself against attacks is to unite these disparate groups by improving
its communication. Once there is a higher level of communication, the company will
detect risks faster through the training of management and staff in basic decision skills.
This will result in closer relationships, which leads to cooperative working between
employees; common systems for reporting and measuring exposures; and knowledge
sharing (Hernandez, 2000, 32). Some companies are also going so far as to appoint a
Chief Risk Officer, or CRO. These employees are responsible for protecting corporate
assets by implementing common processes and establishing consistent goals.
Another way that a company can be prepared when an attack does occur, is by purchasing
insurance. Many companies think that they are covered for cyber attacks, when, in fact,
the coverage is questionable (Conley, 2000, 22). Most comprehensive general liability
policies cover bodily injury and tangible property. This is where the coverage becomes
shaky. Can digital information be considered tangible property? Most insurance brokers
will tell you no. Their reasoning is that if a site is hacked, there is no bodily injury and no
property damage. The policies were not originally written to cover cyber crimes. There
is some good news for risk mangers though, insurance brokers such as AIG, Zurich F&D,
Lloyd’s of London, and other carriers have teamed up to offer NetSecure. NetSecure is a
broad policy that covers a range of cyber risks, including first party and third party
liability (Conley, 2000, 24). Most of these new e-commerce policies offer up to $25
million in coverage at a price somewhere between 2 percent and 3.5 percent of the limits
purchased. The draw back of these new policies is the underwriting process. The
company wishing to be insured must undergo an extensive audit of their computer
systems, networks, online market places, security measure, and so forth. “This audit is
paid for by the applicants, and is expensive, costing the companies anywhere from a few
thousand dollars to hundreds of thousands” (Conley, 2000, 26). Not all companies need
comprehensive insurance treatment. That’s where the smaller brokers specializing in e-
commerce, such as Kaye Insurance Associates, come in. “Our value proposition is in
handling the e-commerce risk transfer needs of small emerging-growth companies,”
stated Michael Zeldes, executive director at Kaye (Conley, 2000, 26). Insurance for e-
commerce is relatively new but is quickly becoming an important tool for the risk
Cyber crime is a fairly new topic, but one that is being discussed more and more.
Although cyber crime will never be stomped out one hundred percent, companies can
insure that they are not the targets of future attacks. There is not just one simple solution,
rather there needs to be multiple ideas integrated into one plan, and if that fails there
needs to be a failsafe, such as insurance. As Dick Heydinger, risk manager at Hallmark
Cards Inc., stated “Just when you think you’ve battened down the doors, they figure out a
new way to get in. The fact is you can never relax. You’ve got to always be one step
ahead.” He pauses, then adds, “No, make that two steps ahead” (Conley, 2000, 26).
Illegally obtaining information that belongs to a corporation via a computer, and
then holding the information for ransom
Chief Risk Officer (CRO)
A person in the company whom reports to the CEO and is responsible for
protecting corporate assets by implementing common processes and establishing
Denial of Service (DOS)
A Denial of Service attack is not a virus but a method hackers use to prevent or
deny legitimate users access to a computer. DOS attacks are typically executed using
DOS tools that send many request packets to a targeted Internet server (usually Web, FTP
or Mail server), which floods the server's resources, making the system unusable. Any
system connected to the Internet equipped with TCP-based network services are subject
A method for keeping a network secure. It can be implemented in a single router
that filters out unwanted packets, or it may use a combination of technologies in routers
and hosts. Firewalls are widely used to give users access to the Internet in a secure
fashion as well as to separate a company's public Web server from its internal network.
They are also used to keep internal network segments secure. For example, a research or
accounting subnet might be vulnerable to snooping from within.
There is a community, a shared culture, of expert programmers and networking
wizards that traces its history back through decades to the first time-sharing
minicomputers and the earliest ARPAnet experiments. The members of this culture
originated the term `hacker'. Hackers built the Internet. Hackers made the Unix operating
system what it is today. Hackers run Usenet. Hackers make the World Wide Web work.
Peak load balancing
When e-commerce companies experience spikes in demand at specific times. For
example, during the holiday shopping rush many companies were unable to handle the
A credit card with a built-in microprocessor and used for identification or
financial transactions. When inserted into a reader, it transfers data to and from a central
computer. It is more secure than a magnetic stripe card and can be programmed to self-
destruct if the wrong password is entered too many times. As a financial transaction card,
it can be loaded with digital money and used like a travelers check, except that variable
amounts of money can be spent until the balance is zero.
A term used among hackers that rely on weaknesses in humans rather than
software; the aim is to trick people into revealing passwords or other information that
compromises a target system’s security
A program set up by a hacker that is triggered at a certain time or message to
access as fast as it can another site or sites. The result overloads the site and brings it to a
Salkever, Alex. (2000, August 22). “Cyber-Extortion: When Data Is Held Hostage.”
http://www.bwonline.com (accessed 2000, September 07).
Brunker, Mike. (2000, March 03). “E-Business vs. The Perfect Cybercrime.”
http://www.msnbc.com (accessed 2000, September 07).
Hernandez, Luis Ramiro. (2000, June). “Integrated Risk Management in the
Internet Age.” Risk Management, pp. 29-32.
Conley, John. (2000, July). “Outwitting Cybercriminals.” Risk Management,
Harrison, Ann. (2000, March 27). “Survey: Cybercrime cost firms $266M in ’99.”
Computerworld, 13 (34), 28.
Sager, Ira; Hamm, Steve; Gross, Neil; Carey, John & Hof, Robert. (2000, February
21). “Cyber Crime.” http://www.businessweek.com (accessed 2000, October 09).
21). “Cyber Crime.” http://www.businessweek.com (accessed 2000, October 09).