Innovative E-Business Insurance Protection for Customers of Counterpane Internet Security, Inc.

prepared by Frank Crystal & Co., Inc. and Counterpane Internet Security, Inc.

summary slide - full press release - Q&A

Introduction

E-business today is inherently insecure. The widespread Internet connectivity that enables extensive commercial opportunity also produces an environment that is vulnerable to unauthorized network access. This opens the door to such events as stolen passwords, tapped communication lines, flooded networks and more, any one of which could have devastating consequences to an enterprise. To protect themselves from these mission-critical risks, e-businesses must develop a comprehensive risk management strategy.

Three pillars support a comprehensive risk management strategy for any business:

1. Risk Assessment techniques identify and quantify potential business risks, such as the impact of a breach of computer network security.
2. Risk Mitigation measures, such as an integrated plan of Prevention, Detection, and Response to potential security threats, may minimize or eliminate many of these risks.
3. Risk Transfer mechanisms, such as insurance policies, protect against residual security risks and provide compensation for losses resulting from events like a breach of security.

Today, only the first two pillars of risk management are available to e-businesses. Many consulting firms offer competent risk assessment as well as technology capable of partial risk mitigation. Companies that utilize the substantial technical acumen of Counterpane Internet Security add real-time human expertise and response to their arsenal, thereby maximizing the effectiveness of their security infrastructure and minimizing the risk of unauthorized access that would result in business interruption and loss.

Unfortunately, the insurance industry has not yet demonstrated the expertise or the flexibility required to keep pace with the rapid evolution of technology and the e-business environment. As a consequence, few risk transfer solutions are available to meet e-businesses' specialized needs.

Counterpane Internet Security Inc., in partnership with Frank Crystal & Co., SafeOnline Ltd., and Lloyds of London, has responded to this need by developing a comprehensive risk management solution designed specifically to meet the needs of today's e-businesses.

Prevention, Detection, and Response

Counterpane Internet Security has a process rather than a product approach to security. The company recognizes that there are three key factors to maintaining effective network security:

Prevention: There are numerous products and services available for prevention of security intrusions and breaches. Companies must determine which products to install, who to train to use and update them, and how to continually adapt these products as the enterprise changes, merges, or acquires new entities. Unfortunately, prevention mechanisms are not perfect. Programs may have bugs or other inadequacies that can be exploited by determined malicious hackers.

Detection: Even when prevention products are working correctly, they generate continuous, voluminous audit reports and corresponding alarms. If these reports and alarms are not analyzed and understood, intrusions go undetected, and the network remains vulnerable to attack. Proper detection of attempted security breaches requires that appropriate information be identified and analyzed. This includes active monitoring of audit logs and interpretation of alarms by experts who understand the behavior patterns of real intrusions.

Response: When possible security breaches are identified, specially-trained security analysts determine the appropriate course of action. These analysts alert network administrators, according to a predetermined protocol, and they also guide them through enactment of proper security remedies until the breach is rectified. By properly responding to such incidents in a timely manner, the risk of loss of data or business interruption is minimized.

Counterpane Internet Security, Inc. is the first entrant into what industry analysts have named Managed Security Monitoring (MSM). This dynamic service fully addresses the above-described detection and response issues. By adding the key ingredient of real-time monitoring and analysis by security experts, Counterpane offers the most comprehensive network security service available today.

The Third Pillar-Risk Transfer Solutions from Lloyd's

For companies to effectively manage the risk of conducting e-business, they must not only implement Risk Assessment and Risk Mitigation measures, such as those offered by Counterpane and security product vendors, they must also incorporate the third pillar of a comprehensive risk management strategy-Risk Transfer.

To fulfill this need, Counterpane has worked with leading insurance broker Frank Crystal & Co. and digital risk solution provider SafeOnline to design custom insurance solutions secured by Lloyd's of London. Counterpane has the requisite technological expertise to provide insurers with a reliable Baseline Security Assessment of its customers' networks. This assessment element and Counterpane's previously unavailable 24X7 Managed Security Monitoring service gives insurers the confidence to offer attractive Risk Transfer solutions to the e-business community.

Through this partnership, Counterpane's customers gain exclusive access to two innovative insurance programs:

Internet Asset and Income Protection Coverage: Provides insurance for loss of, or damage to, information assets (e.g., data, customer lists, credit card numbers, budgets, proposals, work papers or any other digital information) resulting from a breach of security or technology failure. The insurance also covers business interruption due to loss of use resulting from a breach of security.

Internet Asset and Income Protection Warranty Plan: Previously unavailable, this turn-key, insurance-backed warranty plan enables Internet Service Providers (ISPs) and Application Service Providers (ASPs) who utilize Counterpane's services to extend Internet Asset and Income Protection to their customers quickly and at costs significantly below market rates.

These programs are highly complementary, with the first program providing protection for Counterpane's clients and the second for customers of ISPs and ASPs that utilize Counterpane's services.

For example, a web-hosting service provider that utilizes Counterpane's MSM services may obtain Internet Asset and Income Protection Coverage to protect itself from damages resulting from a security breach. The same web-hosting company might also offer its customers (e.g., e-businesses) the opportunity to obtain coverage for themselves under the Warranty Plan.

Both of these insurance programs are described in further detail in the sections on the following pages.

Internet Asset and Income Protection Insurance Coverage

Insurance should be available to protect e-businesses against damages from residual Internet security risks, but the policies currently on the market place severe limitations on the coverage available. This is primarily due to the insurers' reliance on static security assessments.

Counterpane Internet Security, in partnership with Frank Crystal & Co., SafeOnline Ltd. and Lloyds of London, have designed an Internet security insurance policy that takes advantage of Counterpane's dynamic Managed Security Monitoring (MSM) service to provide Counterpane's customers with expanded insurance coverage at a discounted premium.

Product Offering Internet Asset and Income Protection Insurance provides first-party coverage defined as follows¹:

• Cyber Damage covers the cost to repair and replace data and/or software to same standard following a hacker damaging, destroying, altering, corrupting or misusing the customer's electronic device(s).
• Cyber Revenue Protection covers lost revenues following a service interruption or service impairment, caused by activities of a hacker specifically targeting the electronic device including by maliciously blocking access electronically to such electronic device.
• Extortion Protection covers extortion monies and expenses in connection with a threatened computer attack, including the cost of a specialist-consultant's assistance in a security crisis and any subsequent negotiation, including payment of a ransom demand.

"Information assets" may include data, customer lists, budgets, proposals, work papers or any other digital information, and these assets are valued at the cost to recreate or reproduce them. A business interruption loss will be valued as the financial loss experienced by a customer due to the loss of use of service for a period of time exceeding eight hours.

Pricing Structure

Prices for the Internet Asset and Income Protection Insurance will be set by the insurers at Lloyd's. Underwriters measure the security risks associated with a customer's environment and consider the following factors: security infrastructure, practices, procedures, industry hazard, and scope of operation.

A pricing matrix will be created for companies with less than $50 Million in annual revenue, those between $50 Million and $250 Million in revenue, and for those with revenues in excess of $250 Million. Companies will be further categorized as Low, Medium or High hazard, with a rate modification factor that is dependent on the risk associated with their respective industry.

The premium for the insurance policy will typically start at $20,000 for $1,000,000 of coverage, and escalate to $75,000 for $10,000,000 of coverage. The actual premiums will be dependent upon the factors outlined above. The dynamic nature of Counterpane Internet Security's monitoring enables underwriters to offer rates that are 20-40% lower than alternative coverage available in the marketplace.

Internet Asset and Income Protection Insurance-Backed Warranty Plan

Insurance has traditionally been a mechanism used to protect a company after-the-fact, in the event of loss. Counterpane Internet Security understands the risks associated with trust-based services such as Internet Service Providers (ISPs) and Application Service Providers (ASPs) and acknowledges the inadequacy of this defensive stance.

As a result, Counterpane Internet Security, in partnership with Frank Crystal & Co., SafeOnline Ltd., and Lloyds of London, has developed an Insurance-Backed Warranty Plan specifically designed for e-business service providers. Unlike traditional insurance policies, the insurance-backed warranty is a pro-active, brand-enhancing financial assurance product that provides direct financial recourse to customers in the event of a loss.

Product Offering

Counterpane customers will be able to obtain an Internet Service Agreement insurance policy underwritten by Lloyd's of London. This policy backs an Internet Asset and Income Protection Warranty Plan that enables e-business service providers to provide their customers with financial protection for:

1. Loss of or damage to information assets arising out of a breach of security; and
2. Business interruption due to loss of use.

Under the terms of such a plan, "information assets" may include data, customer lists, budgets, proposals, work papers or any other digital information, and these assets are valued at the cost to recreate or reproduce them. A business interruption loss will be valued as the financial loss experienced by a customer due to the loss of use of service for a period of time exceeding eight consecutive hours.

Product Benefits

The Internet Asset and Income Protection Warranty Plan can be considered both a proactive marketing tool and a potential profit center.

First, the warranty plan can substantially enhance the brand of trust-based services, such as ISPs and ASPs. For example, sales and marketing teams can use this financial guarantee to assuage customers' concerns regarding the security and reliability of a service provider. Additionally, a service-level warranty supports efforts to differentiate a service provider from competitors that may not be able to offer such a warranty.

In addition, the insurance-backed warranty represents a potentially attractive new source of revenue for service providers because the companies could up-sell premium levels of warranty coverage to those customers desiring such additional protection-at rates above cost.

Finally, an insurance-backed warranty can substantially reduce a service provider's financial risk as well as the need to reserve for liability-related losses on the company's balance sheet.

Description of Warranty Plan The Internet service agreement insurance policy backing the plan will pay those sums that the customer becomes legally obligated to pay as claims to its customers under the terms of the warranty plan. With input from the service provider's marketing department, the insurers can customize a tiered program. The following table outlines the coverages offered under the warranty plan, with generic terms for the tiers-Basic, Silver, Gold, and Platinum:

Sample Warranty Plain: Tiers & Coverage

Plan	Level of Protection Per Customer	Coverage
Basic	$10,000	Cyber Damage
Silver	$100,000	Cyber Damage Cyber Revenue Protection
Gold	$250,000	Cyber Damage Cyber Revenue Protection Extortion Protection
Platinum	$1,000,000	Cyber Damage Cyber Revenue Protection Extortion Protection

Coverage provided is defined as follows:

• Cyber Damage covers the cost to repair and replace data and/or software to same standard following a hacker damaging, destroying, altering, corrupting or misusing the customer's electronic device(s).
• Cyber Revenue Protection covers lost revenues following a service interruption or service impairment, caused by activities of a hacker specifically targeting the electronic device including maliciously blocking access electronically to such electronic device.
• Extortion Protection covers the costs of a specialist-consultant provider's assistance in a security crisis and any subsequent negotiation including payment of a ransom demand.

The "level of protection per customer" refers to the amount of coverage that will be available to each customer of a service provider who subscribes to the warranty. The Internet service agreement insurance policy backing the plan will also be subject to an aggregate limit of liability that is based upon the needs of the customer. It is expected that up to $100,000,000 of capacity will be available to any customer that receives a favorable Counterpane Baseline Security Assessment.

So that a service provider may receive the full benefit of the brand-enhancing aspects of the warranty plan, it is recommended that a Basic level of warranty protection be bundled with the client's service, at no additional charge to the customer.

Pricing Structure

Pricing for the Internet Asset and Income Protection Warranty Plan will be set by the insurers at Lloyd's. Underwriters measure the security risks associated with a service provider's environment and consider the following factors: security infrastructure, practices, procedures, industry hazard, and scope of operation.

The ultimate cost of the insurance backing the warranty plan will be a function of the size of the service provider and the level of participation. The pricing matrix has been designed to follow typical pricing models so that increased costs track with growth in revenue. For example, costs may be on a per-month or on a per-transaction basis.

Note that premium costs represent the amount paid by a service provider to the insurers for backing the warranty (i.e., wholesale price). A service provider may choose to offer this warranty to its customers at a premium (i.e., retail price).

Customarily underwriters require that customers maintain a small deductible or retention, but this may be waived under certain circumstances. If a deductible or retention is required, the customer would need to set-up an internal accrual in the event of any claims under the program.

For more information, please contact:
Counterpane Internet Security, Incorporated
Corporate Headquarters
1090 La Avenida
Mountain View, CA 94043
Ph: 650-404-2400
Fx: 650-903-0461
http://www.counterpane.com

1. Coverage applies only to devices monitored by Counterpane Internet Security and coverage will be considered null and void, and any contract in place will be cancelled in the event that the insured ceases to utilize Counterpane Internet Security's services. [back]