Leading Hong Kong insurance firms are focusing attention on policies tailored to suit the needs of businesses that are at risk of suffering huge losses because of a host of Internet-related crimes. In the past few months, insurer American International Underwriters (AIU) and insurance broker Marsh Hong Kong have launched new insurance products covering damages of up to US$200,000 for businesses that are attacked by a computer hacker, suffer losses through Web site liability or other online risks. HSBC Insurance is studying the market with a view of launching such a product, while other insurers are also taking a close look at the market. Insurers said the need for an Internet liability policy had risen because of a sharp rise in hacking activities. According to police figures, more than 200 hacking incidents were reported last year alone. This was a sharp increase from just 50 such incidents in 1998. As recently as last month the home page of the Interactive Government Services Directory was hit twice by hackers in 24 hours. One of the biggest risks businesses face is the denial of service, which interrupts operations and results in huge loss of revenue to the company. Earlier this year, the Web sites of Yahoo! and Amazon.com were disrupted as a result of such an attack. 'When there is a denial of access, the business is like a big trunk, which is choked,' Marsh Hong Kong business development practice head Anthony Yuen Tak-tim said. 'There is no physical damage but being frozen there are punitive damages, which this new type of insurance policies would cover.' Apart from the aggression of hacking activities, risks are compounded by the lack of adequate skills in network management in Asia. GartnerGroup Hong Kong research director Joseph Sweeney said: 'The damage of computer attack is rising seriously especially in Asia; the quality of network managers is very low by international standards, many of them [companies in SAR] have poor security. It makes them easy targets.' Hong Kong Productivity Council information and technology general manager Yung Kai-tai said: 'Hacking has a severe impact because it may result in loss of confidential information and data, exposing companies to third-party liability. Viruses which lead to denial of access will result in loss of revenue. If you have a good backup system, you can recover your database but not the revenue lost in the period of malfunction.' The Productivity Council is planning a computer emergency response team to monitor global virus attacks. Insurers said SAR companies had insurance policies written many years ago that did not provide for new risks faced by businesses. AIU management associate Chin Seng said: 'Previous policies are silent in Internet issues as they were written 10 years ago. Companies are assessing their insurance portfolio to see if their current policies do pick up and fill the gaps.' Marsh's Mr Yuen said Internet risk could be broadly categorised into three groups: liability to third party, e-business interruption resulting in loss of revenue and Internet crime involving fraudulent use of Web sites. Mr Yuen said: 'Such policies were virtually not here before this year but like most coverage, we look at the business activities in order to determine the risk. We need lots of measures to look into the security system, do a health check before offering insurance to the companies.' How much insurance should companies buy to be adequately covered? Insurers said it varied, depending on factors such as the size of the business, its financial health and strength of security. Some firms were insured for as much as HK$100 million. The more secure the company was, the less premium it needed to pay for the same amount of coverage, insurance underwriters said. Writing a new policy for traditional businesses was relatively simple but in the absence of loss and risk statistics on computer attacks, insuring for Internet business meant sailing in uncharted waters. Mr Yuen said: 'It depends on the security measures you deploy. Such insurance policies are still in infant stage, so much valuation is based on estimation and accumulation of experience. 'If your system is hacked and business is interrupted, we calculate the loss from the previous year's revenue. However, for new companies which do not have past year's record, it will be based on the projection figures.' When assessing the value of a Web site, some of the areas insurers look into are the activities of the Web site, whether it involves little hazard, whether the company is building and maintaining sites for others, transacting business on the site or advertising for others, as well as the size of readership and number of page views. For computer fraud coverage, the underwriters will look at how a company's prior crime policies have been priced, make some modification for loss control, and treat denial-of-service attacks like standard business interruption. However, there was no fixed rule of calculation on how much income a company would lose if it was out of business for a certain number of hours. Prevention was better than cure, Mr Yuen said. Many saw it as an after-effect issue but this new type of insurance which had no geographical boundary could not be overlooked in the new era of e-business. The online stockbrokers, Internet service providers and trading companies moving from traditional to Internet businesses were seriously considering such insurance, Mr Yuen said. AIU's Mr Chin said: 'Most companies showing interest are dotcom companies such as the Internet service providers, Web site consultants and companies like banks and retailers which incorporate e-business.' The Government has already warned that small businesses in Hong Kong are vulnerable to computer attacks by hackers and viruses, following two attacks on its Web sites. But insurers and technology experts believe larger companies with good branding and multinational corporations are more attractive targets to hackers than smaller firms. Mr Sweeney said: 'Hackers have made known that the next target after the government Web sites are the [multinational corporations], those which they believe are abusive environmentally and politically, such as the petrochemical and pharmaceuticals companies.' The Productivity Council's Mr Yung said larger companies with good reputation and standing were targets as hackers saw them as a challenge, for psychological satisfaction. Most of the insurers pointed out businesses in Hong Kong were exposed to high risks no matter how good their security systems were, as it was not merely a technical security issue. Mr Yung said: 'No matter how safe your security may be, there is still a chance of your system getting hacked into, as most cases of hacking is due to internal leakage of information.' However, Mr Sweeney suggested it was necessary for businesses to protect themselves from losses; security was a deterrent, and the better the security system, the lower the premium.