ecommerce

Quantifying e-Commerce Risk

David Fishbaum, FSA Chuck McClenahan, FCAS MMC ENTERPRISE RISK
CAS Seminar on Ratemaking - March, 2001

1

The Problem








You re the risk manager of a financial institution with a new web site Your insurance broker has provided you a quote for new e-commerce risk insurance coverage: $350,000 - $450,000 with low limits Your not exactly sure what the risks of the web site are What to do?

2

Background


The financial institution provides community banks with a product portfolio of ancillary products such as:
  

investments (mutual funds and stock trading) insurance other banking services



You provide web sites for these community banks for investments, insurance and lending

3

What are the risks?


Failure of the web site


  

problems with the surroundings, power failure, fire or flooding failure of the hardware failure of the software attack through virus or computer hacker

4

Resultant damages are also varied
 



Delay in performing a service Loss of brand value due to unreliability of service or transmission of computer virus loss of value through failure to deliver


for example, an uncompleted stock trade

5

Background: E-commerce insurance coverage


There is an intensive application


the problem is that you can t figure out how complex or risky a web site you are running there is a bias to find fault



A system audit is part of the insurance coverage


6

How do you insure the high P/E ratio






Its 1999 and the price/earnings ratio of the ecommerce function seems to have broken down The unspoken issue is how do you insure the value lost if something happens to the web site? Not sure this is an issue today

7

Why bring in Actuaries?
 



Looking for someone to quantify the risk We brought a multidisciplinary team of actuaries, economists and policy expert The actuaries provided the quantification and modeling skill sets

8

Methodology
  

Model the web site Stochastic testing Scenario testing

9

Model


 



MMC ER developed a computer program to model the economic performance of the ecommerce infrastructure Used company s performance statistics Used a Monte Carlo simulation to produce expected revenue and branding values Based on this quantification, valued the potential losses of a series of scenarios

10

Flow of Information and quantification of failure probabilities

U s e r's B ro w s e r

ISP Provider Application Server/Firewall/Proxy Layer

Application Host - I

Application Host - II

Application Host - III

In our estimation of the probability of failure at the application host level, elements such as software outage, hardware outage, 11 data base performance etc were considered.

Assumptions
     

Visits per week Usage over the week Revenue Customer value Application acceptance Downtime

12

Results-Base Case
2000 # f rtici ti lic ti ns ks 2001 2002

Int rnet

lic ti n fees Ins r nce nder riting O AL ew l ns t nks Present v l e f inc new l ns

e n

13

The Scenarios
     

Denial of service hysical damage to hardware location New virus brings down complete system Malicious employee Threats/extortion Theft of credit card numbers

14

The Scenarios
Denial of service


  

Attack causes a degradation of performance or loss of service to web site Not covered under current coverage Modeling assumption: site down for 3 hours Income loss/Customer value loss

15

The Scenarios
Physical damage to hardware location
    

Location of where hardware is kept is disabled Covered under current insurance Modeling assumption: site down for 10 days Income loss/Customer value loss Client bank s lost revenue

16

The Scenarios
New virus brings down complete system
  

Not covered under current coverage Model assumption: system down for 2 days Income loss/Customer loss

17

The Scenarios
Malicious Employee
 

 



Destruction of important data or programs Cost of recovery process covered under current coverage Not modeled Theft of policyholder info or other intangible property Not covered under current coverage
18

The Scenarios
Threats/extortion




Threat to commit a computer crime or to use information gained from a computer crime in exchange for money, personal gain or to embarrass the company Would be covered under current kidnap and ransom policies

19

The Scenarios
Theft of credit card numbers
 

CD universe and Salesgate (e-mall) No credit card numbers are stored

20

Results of analysis


Biggest risk business interruption Third party loss is minimal at this time though in time the Internet will affect its client relationship



21

Conclusions
   

Better quantification of risks Better able to make a purchase decision Other risk management decisions What isn t at risk is also important

22

Postscript
 

The website is still in operation Strategy has been proven successful

23

e-Commerce Risk


Bruce Schneier - Secrets and Lies
(Wiley Computer ublishing, 2000)



The insurance industry does this kind of thing all the time; it s how they calculate premiums. They figure out the annual loss expectancy for a given risk, tack on some extra for their operational costs plus some profit and use the result
24

e-Commerce Risk


Bruce Schneier - Secrets and Lies
(Wiley Computer ublishing, 2000)



Of course there s going to be a lot of guesswork in any of these; the particular risks we re talking about are just too new and too poorly understood to be better quantized (sic).

25

e-Commerce Risk


Pricing e-Commerce Risk
    

Determine Strategy Identify the Risks Collect Available Data Develop Model Price According to Strategy

26

e-Commerce Risk


Determine Strategy
   

Guess and Confess Loss Leader Self-Supporting Franklin Approach

27

e-Commerce Risk


Determine Strategy - Guess and Confess


Insurer uses best available judgment (usually discovered deep in the bowels of the marketing department) as to the proper rate Alternatively, rely on advice of career agents



28

e-Commerce Risk


Determine Strategy - Loss Leader


Aptly named, this strategy is based upon the assumption that the best way to develop experience and expertise is to write a lot of exposure

29

e-Commerce Risk


Determine Strategy - Self-Supporting


Goal is to cover losses and expenses, including start-up expenses, over some reasonable period of time. This is a radical strategy and has rarely been adopted in the property-casualty industry.

30

e-Commerce Risk


Determine Strategy - Franklin Approach
 

Focuses on loss avoidance Underwrites against undesirable hazards, e.g.
  

large user base large asset base high public profile

31

e-Commerce Risk


Identify the Risks


We have a good track record here
  

Medical Malpractice Computer Leasing Asbestos and Environmental

32

e-Commerce Risk


How many do you recognize?
      

Daemon Data mining Digital wallet Extranet Luhn formula Smart card Thin client
33

e-Commerce Risk


How many do you recognize?


Daemon - a structured background process

34

e-Commerce Risk


How many do you recognize?
 

Daemon - a structured background process Data mining - looking for hidden data patterns

35

e-Commerce Risk


How many do you recognize?
  

Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID

36

e-Commerce Risk


How many do you recognize?
   

Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet

37

e-Commerce Risk


How many do you recognize?
    

Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm

38

e-Commerce Risk


Luhn formula
(1) Start with penultimate digit and, moving left, double the value of each alternating digit. If you get a two digit number, add the two digits. (2) Add up all digits. Result must be zero mod 10

39

e-Commerce Risk


Luhn formula

  

1234 567890 12347 1438 537790 14387 1+4+3+8+5+3+7+7+9+0+1+4+3+8+7=70

40

e-Commerce Risk


How many do you recognize?
     

Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card

41

e-Commerce Risk


How many do you recognize?
      

Daemon - a structured background process Data mining - looking for hidden data patterns Digital wallet - encryption software, user ID Extranet - authorized outsider-available intranet Luhn formula - credit card verifying algorithm Smart card - personal electronic memory card Thin client - network computer w/o hard drive
42

e-Commerce Risk


Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company


The court finds that physical damage is not restricted to the physical destruction or harm of computer circuitry, but includes loss of access, loss of use and loss of functionality.
43

e-Commerce Risk


Ingram Micro Inc. vs. American Guarantee & Liability Insurance Company


Restricting the policy s language to that proposed by American [i.e.that contained in the policy] would be archaic.

44

e-Commerce Risk


TD Waterhouse fined $225,000 for repeated outages which left customers unable to trade 11 online brokers reported 88 outages for 1st 9 months 1999 (12th firm reported so many outages it didn t keep track).
45



e-Commerce Risk


Collect Available Data
   

Exposure base not well-defined Economic costs of losses not disclosed Industry is young and evolving Threat base is also evolving

46

e-Commerce Risk


Collect Available Data


Remember, Lloyd s List was started in 1696 but it wasn t until 75 years later that the Society of Lloyd s was formed

47

e-Commerce Risk


Develop Model
   

Identify major processes Identify major threats Relate threats to processes Determine (or guess at) parameters

48

e-Commerce Risk


Example - Distributed Denial of Service (DDoS)

49

e-Commerce Risk


Attack of the Zombies - February,2000


Monday, February 7

- Yahoo! portal rendered inaccessible for 3 hours


Tuesday, February 8



Buy.com 90% inaccessible eBay incapacitated CNN 95% inaccessible Amazon.com slowed to 5 minute access time

Wednesday, February 9

- ZDNet.com unreachable - E*Trade slowed to a crawl - Excite 60% inaccessible
50

e-Commerce Risk


How DDoS Works
 

Goal is to render system inoperable One attacker controls multiple servers Method: Break into numerous sites, install attack script and orchestrate coordinated attack



51

e-Commerce Risk

HACKER

VICTIM¶S SERVER UNWITTING HOST ³ZOMBIE´ OTHER NETWORK COMPUTERS

USER PCs

52

Hypothetical DDoS
$ 5, $ , , , , , , $ 3

osts

M rke C Se uri y C Reve ue L

L

$ 5, $ , $5,

3

5

Minutes of

utage
53

Hypothetical
. % . % . % 4 . % . % . %

umulative DDoS Frequency

4

4

4

54

Minutes of

utage
54

e-Commerce Risk


Price According to Strategy


Frequency will vary with


Popularity Profile Potential





55

e-Commerce Risk


Price According to Strategy


Severity will vary


eToys v. E*Trade

56

e-Commerce Risk



You gotta be careful if you don t know where you re going cause you might not get there.

- Yogi Berra
57