INSURERS RUSH IN WHEN SECURITY FAILS; The losses from security breaches 
are rising, and the advent of "hacker insurance" raises the specter of increased litigation.

The recent viruses that have clogged corporate e-mail systems and the malicious hack attacks that crippled Web sites have led to paranoia and high damage estimates, but not to big-time litigation. That could change, however, as companies turn to "hacker insurance."

Network-monitoring company Counterpane Internet Security is the latest to offer computer-security coverage through the venerable U.K. insurer Lloyd's of London.

"For the first time ever, organizations can buy insurance against hacking without a security audit and without regard to the particular security products they use," says Bruce Schneier, CTO and cofounder of San Jose, Calif.-based Counterpane.

The sums involved are not small. The denial-of-service attacks that temporarily halted traffic to major Web sites in February cost an estimated $1.2 billion. Damage estimates for May's Love Bug virus range from $6.7 billion to $15 billion.

The number of firms that have sustained losses from security breaches has increased rapidly, with more than 270 companies enduring financial losses of at least $1 million in 1999, says John Wurzler, founder of Wurzler Underwriting Managers in East Lansing, Mich., citing an FBI study. And that loss covers only reported incidents. For every break-in that is reported, 400 are not, according to a study by investigative firm Michael G. Kessler & Associates in New York (www.investigation.com)

Insurers began offering computer-security insurance about two years ago. The number of companies applying for policies has quadrupled since December, according to Wurzler. Premiums start around $10,000 per year and go as high as several hundred thousand dollars.

Meanwhile, legal liabilities are hard to gauge. Few security-related lawsuits have been filed, or at least publicized. Reports have not been confirmed that CD Universe was sued after someone gained access to 350,000 customer credit card numbers in January and tried to extort $100,000 from the company before posting links to the data online. CD Universe officials did not return calls requesting comment.

An ISP in Scotland is more forthcoming. Attorneys for FirstNet Online, based in Edinburgh, are preparing to sue Nike for unpaid debt, according to FirstNet Director Greg Lloyd Smith. Last month, Nike site traffic was redirected through FirstNet servers to a Web site for a group protesting a World Economic Forum in Australia. The traffic deluge crashed FirstNet's servers numerous times, interrupting service to its 1,500 customers. "When you handle that amount of traffic for anyone as an ISP you render a bill," says Smith.

Beaverton, Ore.-based Nike blames Network Solutions for the problem, claiming the domain registrar didn't have adequate security measures in place.

Now that security insurance has arrived, will the tech industry be subject to the high premiums, exaggerated claims and high-profile lawsuits that dog more heavily insured businesses? Charles Rutstein, a senior analyst at Forrester Research (FORR), says no. "I liken it to insurance in other industries," he adds. "Having fire insurance doesn't increase the number of arsonists, nor does it increase the number of lawsuits."

But insurers can't say with confidence that the number of lawsuits - or hackers attempting to extort money from compromised companies - won't rise now that Internet companies are backed by insurers' deep pockets. Regardless of the perils, the advent of insurance in the computer-security industry signals that the market is maturing.

Unfortunately, until companies are victimized, "the risks and rewards are not always obvious," says Dan Geer, CTO at security consultancy AtStake, based in Cambridge, Mass. Selling security, he notes, "is as much fun as selling compulsory car insurance."