Printed from BusinessInsurance.com

INTERNET COMMERCE SLOW TO GROW MANAGING ONLINE RISKS SEEN AS KEY TO BOOSTING TRANSACTIONS

Posted On: Oct. 19, 1997 12:00 AM CST

With security concerns widely recognized as slowing the development of Internet commerce, some see finding ways to manage and insure the risks as the keys to unlocking the virtual marketplace's potential.

At the Risk & Insurance Management Society Inc.'s annual conference in Atlanta earlier this year, considerable effort was devoted to promoting and discussing new insurance products and risk management approaches designed for Internet commerce.

Thus far, however, the development of those products has been slow, and interest in them has remained limited. Part of the problem may be the current size of the Internet marketplace itself.

"Everybody talks about the product, but right now there's not enough commerce being done on the Internet to warrant any interest," said Mark Owens, executive vp of marketing at Reliance National Insurance Co. in New York.

"In terms of gross business dollars, it's pretty small potatoes," Mr. Owens said. "Everybody's trying to understand what the exposure is, what's the need."

Reliance was among those at RIMS touting its efforts to develop Internet commerce solutions, as part of a partnership with International Business Machines Corp.

Chubb Corp. and Danish insurer Codan Insurance Ltd. also are participants in the effort that IBM announced to develop risk management tools for Internet environments.

While Reliance continues to work on the project, it hasn't developed any definite products yet, Mr. Owens said. "We're working on that. We've had a task force at work for the past several months and are in the process of putting together several forms."

"Part of what the task force is looking at is is there a need, and what is the need?" he said. "We keep continuing to make progress."

And Mr. Owens said he's not convinced that the lack of insurance products is preventing the development of online commerce.

For now, the most widely perceived risk has involved the security of online payments for purchases and the possibility that a customer's credit card information could be intercepted in transit by a third party.

But various encryption technologies might make the payment problems the easiest to solve, some experts believe, with the real issue for the future the security of information in an online company's computers.

"Big picture, our perspective on information security kind of runs like this: There's a lot of hype, a lot of confusion, a lot of chaos with information security," said Dave Muckley, a member of the board of directors of Trident Data Systems, a Los Angeles-based provider of information protection products and services.

"It's a huge issue of trust. With as much as technology does allow us to move information back and forth, the trust issue is huge out there," Mr. Muckley said.

And, he noted, many companies whose security is breached are reluctant to pursue legal recourse because of the possibility of a negative public relations impact.

In that context, it might not be surprising that online businesses questioned about the risks they perceive and steps they've taken to mitigate them generally chose not to respond.

A spokeswoman for one company that did answer questions, Seattle-based online bookseller Amazon.com Inc., limited its response to addressing the security of credit card payments.

"Statistically it's much safer to use your credit card on the Web than to use it in a restaurant or department store," she said. "We think that's good news, but we still take every possible precaution to protect the integrity of your card information."

Amazon.com offers consumers the choice of using the Netscape Secure Commerce Server, an encryption system that protects information during transmission. "You can safely enter your entire credit card number in the secure server, and it cannot be read in transit," the spokeswoman said.

But Steve Haase, president of Network Risk Management Services in Atlanta, a subsidiary of broker Hamilton Dorsey Alston Co., argues that the payment issue-while a driving concern in current efforts to find risk management solutions-is just part of the problem.

"The big issue that's going to drive a change in insurance is privacy of information," Mr. Haase said. "With computer connectivity risk, the issue isn't that I publish data about you but that some third party gets access to the data.

"Long-term, I don't think (credit card theft) will be the driving issue."

Better encryption technology will reduce that risk, and online commerce "will go from credit cards to private currencies, cybercash.*.*.encrypted financial transactions," he speculated.

Mr. Haase's company was another of those at RIMS that unveiled products aimed at Internet businesses. The product, a policy called InsureSite being underwritten by American International Group Inc. member companies and available through Network Risk Management Services, is linked to a Web site certification program offered by the National Computer Security Assn.

The insurance coverage,, with limits up to $5 million, includes customer funds security liability coverage, coverage for personal injury liability linked to electronic communication of information or unauthorized access of information at the site and coverage for direct physical damage to computer equipment and data stemming from vandalism, computer viruses or other perils.

So far, the number of actual policies issued has been limited. But Network Risk, which is acting as a wholesaler of the coverage, will start advertising it later this month, Mr. Haase said, which he expects to spark additional interest.

Thus far, there have been 15 actual submissions, of which "we have a few that we're writing. We're waiting on three," Mr. Haase said. "We've had to react a little to the marketplace."

The initial rates were essentially a "beta test," Mr. Haase said, "and we didn't want to price it too low." Those rates have been adjusted downward somewhat.

"We are under non-disclosure with about five companies right now," Mr. Haase said, describing those companies as being "involved in various Internet transactions."

More than 100 agents and brokers have indicated interest in representing the product, he said.

"At least we're off and running and writing business," he said. "From our budget perspective, we are on track. But whether this is a viable product we really won't know until our advertising really hits and we see how deep the waters are."

Mr. Haase said he expects some additions to the InsureSite coverage form in the near future, though he wouldn't disclose them for fear of tipping off competitors. "There are issues that are not covered that we want to address," he said. "And we expect to have our upgraded program out by the end of the year."

Mr. Owens said Reliance's coverage, which likely will provide some sort of errors and omissions and warranty coverages, probably will hit the market during the first half of 1998.

"I wish I was going to see it by the end of the year, but I don't think that's going to happen," he said.

While the online commerce market may remain small, Trident's Mr. Muckley contends the risks confronting those operating in the virtual marketplace are very real, though there's a lot of confusion about information security.

"Now what's happening is with the explosion of the Internet, our great technologists have made the transfer of information easier and easier, but at the same time, concerns for security have greatly increased," Mr. Muckley said.

Contrary to the views many have about the risks facing online businesses, Mr. Muckley said that while his company's experience "shows that the hype mostly has to do with outside threats," Trident believes the greatest risks are within an organization, such as from disgruntled employees.

"The key to it all is that security is really a process," he said. "Not just a bunch of point solutions."

His company has its clients start by examining their information assets and ranking them.

"You look at what are your vulnerabilities to the information assets and what are your potential threats," Mr. Muckley said. Once that is done, a company can develop possible solutions.

In trying to deal with liability stemming from system breaches, "it's important that you can show that you had policies and procedures and you had rules of engagement and those rules were violated," Mr. Muckley advised.