Embed Size (px)
Citation preview
MARCH - APRIL THE COMPUTER LAW AND SECURITY REPORT
which isbinding and directly applicable in all Member States entered into force on 1 May 1985. Other countries which are known to have implemented the Decision include Canada, the United States, Japan and Romania The approach adopted by Canada warrants special mention. In Canada valuation will continue to be on the basis of the transaction value. However, pursuant to Order in Council P.C. 1985-277 of 31 January, 1985, remission has been granted on the difference between the duty normally payable on the carrier media bearing instructions or data and that which would otherwise be payable on the value of the carrier media. This excludes the value of the instructions or data content but includes the cost of reproducing the instructions or data on i t Therefore duty (and taxes) apply only on the value of the physical media.
CONCLUDING REMARKS
Tariff claissification and Customs valuation are difficult fields requiring expertise which the author of the present article does not claim to possess. However, it might be correct to conclude that it was trade policy rather than technical considerations which led to the Software Decision. Whatever conclusions one might reach in evaluating the Decision, it is hoped that this series of articles has given an insight into how the popularisation of computer technology is posing new problems in different fields of work. The practices of the computer industry have to be taken into account in searching for sound technical solutions to many of the problems. Theo Lyimo
Theo Lyimo is Senior Technical Officer with the Customs Co-operation Council in Brussels. This article is is personal. The C.C.C. is not associated with any issue or view expressed herein.
RISK MANAGEMENT
C O M P U T E R INSURANCE: - ITS CONTRIBUTION TO RISK M A N A G E M E N T Over the next four issues I will be examining the range of insurance policies available to the computer user. The articles will identify the main area of cover that should be under your control - the exclusions to avoid and the extensions to include.
The first of these articles deals with the insurance of the hardware itself, but before examining this topic it will help to take an overview of computer insurance in general.
A TYPICAL INSURANCE PLAN
To my knowledge, no single comprehensive computer insurance package is available on the UK market The major risks relating to computers used for commercial applications are usually covered by four policies:- 1. Fire and specified catastrophe perils (usually
lightning, aircraft and explosion) on all property including the computer.
2. Consequential losses following an event insured under (1)
3. A policy specific to the computer installation covering:
(a) Loss or damage to the computer excluding fire and the perils specified under policy (1)
(b) Increased costs incurred following an event insured under (3a).
4. General employee dishonesty (fidelity guarantee) cover including, tacitly or explicitly, the computer fraud risk.
In addition specialist covers may be taken out in response to particular high risk activities:
5. Computer misuse - the reasons for this cover are explained later.
6. (Where data processing is undertaken for outside companies) - Professional Indemnity cover.
Whilst the number of policies should be limited as much as possible to avoid demarcation problems
(particularly if different insurers are involved) some dovetail ing wi l l be unavoidable - even if it is only between the computer package and other non- computer covers.
To deal now with hardware insurance in particular:
As we have already seen, this cover may be shared between two policies: cover against fire and other defined catastrophe perils provided as part of an overall cover on all property, and cover against the balance of risks provided by a specific corn puter policy. Alternatively the recent soft (but now hardening) insurance market encouraged full 'all risks' cover on all property, thus apparently removing the need for the separate computer contract. A third alternative is to exclude the computer from the overall property cover and arrange all cover under a computer policy. Whichever route is chosen the general trend is to arrange full 'all risks" cover on the hardware in recognition of its vulnerability to non 'catastrophe' risks such as accidental damage, malicious attack and the 'wet" perils of burst pipes, storm and flood.
The nature of computing equipment and its applications, however, introduces risk problems that are not solved merely by the arrangement of a wide 'all risks' policy. As we will see most of these problems relate to the applications, or consequential aspects of computing. However some do relate to hardware damage, the most common being:
BASIS OF SE'I-i'LEMENT
Many years ago all material damage policies utilised the indemnity basis of settlement, that is current market price less due allowance for depreciation. In recent years it has been possible to purchase cover on the basis of reinstatement (new for old) so that, subject to the adequacy of the sum insured, the basis of settle- ment in the event of total loss or destruction is current market price without such depreciation allowance. For obsolete equipment the basis negotiated with the adjuster at the time of the loss is normally the last list price adjusted for subsequent inflation.
13
THE COMPUTER L A W A N D SECURITY REPORT 6 CLSR
Whilst the alternatives of indemnity or reinstatement are quite satisfactory for conventional plant and machinery, they do not recognise the fact that computing equipment, and indeed other capital items with a heavy high technology content, is becoming progressively cheaper byte for byte or function for function. This can create a situation where a computer can be insured for its purchase price and at the time of the loss two or three years later replacement equipment of equivalent computing capacity can cost significantly less. The insured is thus in a dilemma: to gradually reduce the sum insured could create problems in the event of partial damage and hence high repair costs.
In practice because computer applications are continually expanding it could well be that the insured would wish to upgrade in the event of a loss, thus anticipating a change which may have been planned for a later date. On a standard settlement basis he cannot do so without contributing to the up-grade even if the sum insured is adequate, as both indemnity and reinstatement bases of settlement require betterment to be taken into consideration.
It is important that the up-grade plans are kept firmly in mind when developing the contingency recovery strategy and when determining the nature of computer cover. Probably the best solution is the type of wording recently introduced into the computer market which allows for the purchase of replacement equipment with a value '... not greater than the value of the sum insured. Such agreed indemnity shall not require a contribution by the insured for betterment on account of such things as improved performance or storage capacity."
BR EAKDOWN:
Insurers position on breakdown differs significantly with the insurer concerned. Many computer insurers consider breakdown to be included within the scope of the policy without the need for special mention as the basic wording of 'all risks of physical loss or damage' is sufficient to embrace breakdown which by interpretation must mean minor component damage.
However: (i) Virtually all insurers include a warranty that a
maintenance agreement, usually including preventative maintenance, remains in force throughout the life of the insurance policy, and thus the computer policy only applies to those elements of breakdown that are not picked up by the maintenance contract. This normally means the items commonly excluded by the maintenance contract, that is user's negligence or physical misuse of the computer.
(ii) Some insurers now provide "full breakdown' cover as an extension to a computer policy merely by deleting the maintenance warranty. It should be noted however that cover is still subject to the basic criteria of loss or damage and will not include the cost of preventative maintenance, consumables and, dependent upon the wording, items subject to normal wear and tear. This limitation is particularly relevant to moving parts such as those in disk
and tape drives and printers.
There are many pitfalls to insured maintenance, particularly if it involves a move away from a guaranteed response time contract with a reputable company. This subject will be discussed in more detail by Martin Hasker in an article on maintenance decisions, but in essence if the insurer offering *o cover breakdown costs also offers full consequential loss cover (loss of profits, not just increased costs) the proposition may be v iab le - but bear in mind the time excess under the profits cover (usually 24 hours). If full profits cover is not available, think carefully: you may be carrying the greater risk uninsured.
(iii) A once common exclusion on all computer policies, now no longer so common but still utilised by some insurers, is 'derangement'. There does not appear to be a uniform inter- pretation of this exclusion as used on a computer policy, but the consensus is that it is intended to exclude breakdown without apparent damage: an internal adjustment being required, or correctly seating a loose circuit board or plug. However, there have been instances where the exclusion has been applied initially and the insured has been forced to employ consultants to identify the cause of the breakdown, thus validating the insurance claim. Such independent investigation costs may not be covered by a computer policy but in any event the simplest solution is to remove the exclusion entirely.
SOFTWARE AND DATA:
Whilst cover for physical loss or damage to data carrying media, including in some cases reinstatement of the lost data, is normally included within the hardware damage cover, I shall deal with this topic in a separate article in recognition of the complexities involved.
REPAIR INVESTIGATION COSTS
There are several firms specialising in the recovery of smoke or water contaminated computing equipment. It could well be, however, that an unsuccessful attempt will be made to recover the equipment and the final claim will therefore include the aborted recovery charges in addition to the purchase of a new computer. It is wise to include this cover, usually expressed as a percentage of the sum insured or a maximum figure, IN ADDITION TO the sum insured.
AUTOMATIC COVER:
There is a tendency within a DP environment for new equipment to be purchased on a regular basis. Ideally, the computer cover should include a blanket sum insured without the need to specify individual items as otherwise the policy will have to be continually endorsed. However, the blanket sum insured itself could quickly become out of date and it is wise to include provision for automatic cover on additional equipment, again subject to a maximum percentage increase.
14
MARCH - APRIL THE COMPUTER L A W A N D SECURITY REPORT
EQUIPMENT IN TRANSIT:
Most computer policies cover computer equipment as fixed equipment without providing any cover for the risks incurred whilst the equipment is in transit, or whilst being installed or dismantled (apart from fixed maintenance/repair). It may be possible to obtain some automatic cover under the hardware policy but in any event it is important to advise insurers before any equipment move is undertaken.
TERMINALS:
Whilst cover will apply to the locations at which CPU's are installed there may be many other premises that
participate in the DP network. From a convenience point of view, remote terminals should be covered as a generic item rather than having to notify insurers of every new location.
ACHIEVING THE OBJECTIVES
No one insurer provides the right cover in all the areas outlined. You, or your broker, will have to negotiate- and be prepared to compromise. The better your r isk- and the better your presentation of that risk to the underwriter- the better will be your chance of success.
David Davies
THE RISKS INVOLVED IN COMPUTERISATION i i
W H A T D O E S G O W R O N G -
T H E F A C T S
In the last issue of The Report I cons idered the corporate impl icat ions of computer security and outlined the areas of potential risk in the process of computerisat ion. I shall now go on to examine the problem more specifically drawing upon
examples and illustrations of what does go wrong in practice.
RISK AREAS
The following chart illustrates the major risk areas of physical damage and system interference to the computing environment.
RISKS COMPUTING ENVIRONMENT
i
! i
I Physical I I I I damage I
! i I System I "' I interference I I, J
I I I I I
I I P i Io I I w t I E I IRI I i I I I '
Hardware
Air co'nditioning
I I
Communication
I DATA I
Software I Application I Systems
, , , ,
Heat
1 I I I I
I Iw ! IA I IT I E I i RI
I I i I
I
Main frame computers require certain basic amenities in the physical environment in order to function properly. Computer systems, on the other hand, rely on the reliability and integrity of input data, central hardware, system software, communications equipment, and application programs to produce meaningful information which should be accurate and timely to help management with decision making and business administation. I shall examine the two risk areas in greater detail in the following two sections.
PHYSICAL DAMAGE
FACTS AND FIGURES
The causes of damage could range from natural hazards of fire, flood, land subsidence, etc. to deliberate acts of arson, explosion, vandalism and sabotage. Damage may be inflicted on various physical assets ranging from equipment, the physical environment, to storage media, documentation and people. This is illustrated below:
15
