Protecting soft wares

Software runs everything these days. Nowhere is that more true than in business. But the business of providing business software faces a few hurdles when it comes to risk management. Among those are the relatively young age of the industry and the scarcity of coverage for critical issues such as intellectual property.

Information wants to be free, author Stewart Brand once said, in a remark that still holds both promise and peril for the companies that provide the software that runs modern business.

Software makes modern business work by helping to move vast amounts of information around the world at lightning speed. But technology also makes it easier to share or steal information and to copy proprietary software, a fact that has made intellectual property one of the top concerns for risk managers at enterprise software companies.

"The biggest challenges for software companies are typically your professional liability, your intellectual property, your directors and officers liability and your business interruption exposure," says George Haitsch, vice president of corporate risk for SAP America, the largest enterprise software company.

"Depending on who the software company is, you may also have some significant risk related to your brand and your market presence. That's how I rank my risks and I think that would be fairly representative of our peer group as well," Haitsch says.

But disputes over intellectual property have become a high-profile challenge for risk managers seeking to protect the value of their companies' software and to fend off patent and copyright challenges from companies seeking to make up in the courtroom what they have lost in the marketplace.

"What we're hearing is there is a lot of concern about patent infringement and that's an area where you really can't at this point buy any viable liability cover. The products that are available are so few and so highly priced. Really they're just not affordable, and it's just an exchange of dollars with insurance companies," says Mari-Jo Hill, director of risk management at North Carolina-based business analytics software company SAS.

A trend by companies to seek so-called business method patents that cover a process, such as buying goods online, has heightened uncertainty and the risk in intellectual property disputes.

"Patent is becoming a bigger and bigger issue, especially for software companies," says Keith Kupferschmid, vice president of intellectual property for the Washington, D.C.-based Software & Information Industry Association.

"Recently there has been a lot of what people in the industry would call frivolous lawsuits. Companies going out there and getting patents on particular technologies or technological solution, and then going ahead and suing entire industries," Kupferschmid says.

LAWYERING LINUX

Among the big legal battles is the claim being pressed by software company SCO Group Inc. that it holds the rights to some of the code used in the popular Linux operating system, the so-called open source software that has been available to users without royalties.

In 2003, SCO sued IBM Corp. in a dispute over the Linux code and then launched a broadside at 1,500 large corporations seeking royalty payments for the use of Linux software.

IBM has fought back aggressively and offered to indemnify customers against claims by SCO. Other companies such as Hewlett-Packard Co., also have said they will protect their customers against the Linux claims.

In another case, Sun Microsystems recently agreed to pay $92 million to Eastman Kodak Co. to settle a dispute over whether Sun's ubiquitous Java programming language infringed Kodak patents. Saying it would "take bullets" for its customers, Sun which built up a cash cushion of more than $7 billion in the Internet boom years--said it would protect its customers against intellectual property claims that might arise over Java.

In fact, just the threat of costly legal battles can induce companies to settle cases they might have won by proving that similar techniques, knowledge or business methods existed beforehand in what is known as "prior art."

"In many cases these patents are eventually invalidated," Kupferschmid says. "It still costs the companies regardless even though they're not paying some sort of damage amount at the end of the day, they are paying a significant amount of expenses in hiring patent attorneys and searching the globe for this prior art." In some cases, the legal battles are just another competitive strategy.

"Particularly with software, the competition is so fierce that intellectual property litigation is very prolific--almost as a competitive tactic where companies will sue each other and get injunctions to create competitive advantage for their own product or to say there's a violation of my copyright on this particular software and as part of the settlement I get royalties on your software," says Brenda Shelly, executive vice president leading the technology industry group at broker Willlis Executive Risk.

Another issue for software companies is the risk that a programmer may inadvertently insert another company's code into a product. That type of issue, which was not as big a concern in the past, nowadays can open a legal can of worms.

"As we've seen in the D&O marketplace, specialized law firms just jump on those opportunities to create income for themselves and nice damage awards on behalf of their clients. The defense costs alone are so prohibitive that it creates a whole new level of potential loss that is uninsurable at this point," says Hill, whose company is the largest privately owned software firm with 2003 revenues of more than $1.3 billion.

THE PAPER TRAIL

With intellectual property coverage so expensive, companies may seek to manage that risk through aggressive legal strategies.

"When you look at the upfront cost for the insurance policy and when you look at what it might be covering in that arena, many companies and their general counsel opt not to go down that road," Shelly says. "They see it as an issue that's best managed at the general counsel's level."

That defensive strategy, however, requires a lot of work to document the development of software at every step from the inception of an idea through to the sale of the finished product.

"We document everything to the extent we can to show where we have taken measures to minimize or reduce our risks," Hill says.

For its part, SAP has become much more focused on obtaining patents.

"SAP has amended its strategy in terms of intellectual property over the past five years or so to become much more aggressive in terms of creating the international patents necessary to protect our rights and to have a portfolio of intellectual property at our disposal," Haitsch says.

"That really acts as a defensive tool against allegations by third parties that we're infringing. If in fact we can prove that we created the concepts internally and have patented or applied for patents in that regard, it's a significant defensive posture for us to take," Haitsch says.

The limited opportunities to transfer intellectual property risks means that risk managers have to be more creative in assessing and financing the exposure, or deciding to retain the risk as a cost of doing business.

"From a risk management perspective technology companies are still confronted with the reality that there is a very, very limited market in terms of risk transfer opportunity," Haitsch says. "For intellectual property, the main players in that market are very cautious when it comes to software and technology companies."

GOING GLOBAL

While software is usually designed to help customers profit from the freer flow of information, software companies need to make sure that they protect sensitive data and harden software and systems against outside attacks.

Such attacks include attempts by hackers to break into a system to steal data, or even to launch a virus that bombards a given site with so many messages that it is forced to shut down in what is known as a "denial of service attack."

A software company that remotely hosts critical applications for its customers could find itself facing legal claims if those applications become unavailable due to a denial of service attack and make it impossible for the customer to run its business.

"The issues associated with Internet liability have to do with posting and privacy and denial of service," Shelly says. "For software companies, there's a potential problem in terms of the company in and of itself, and of course there's the third-party issue with respect to its customers."

The legal liabilities also become more complex as a company goes global and faces competing regulations in different countries. For instance, the question of e-mail management is complicated by strict privacy standards in the European Union and the extensive discovery permitted under U.S. law.

"To tie that together is a significant challenge," says Haitsch, noting that SAP operates in more than 80 countries, "because we need to assess our risk and protect the company from potential pitfalls in terms of both professional liability and directors and officers liability."

THE MARKET LEVELS OUT

While intellectual property disputes and hackers grab headlines, a main exposure for enterprise software companies revolves around their core business of providing software and services to customers. The market for professional or product liability insurance, which began to harden significantly five years ago as capacity diminished, has leveled out as new specialty carriers have come into the market.

"At the farthest end of that back five years and before, software E&O was very cheap. It was done as part of the casualty program and not that expensive at all," Willis' Shelly says. "Then about four or five years ago as markets started to drop out, it tightened up and now some of the specialists markets have come in and generated good competition."

While the market has evened out, software companies say they are still seeing a limited amount of players and capacity.

"Insurance has figured prominently in the response that we have generally had to our products liability exposure. For a software company errors and omission is the line of choice in order to deal with that. It's a relatively high ticket and scarce commodity. There are very few markets for it that really have targeted that industry because it is so new in terms of technology--not having been around that long, to create the kind of exposures that underwriters feel comfortable with," Hill says.

In some areas, software companies have begun to look more to alternative risk management techniques. Microsoft Corp., the world's largest software company and one with tens of billions of dollars in extra cash, has established captives for catastrophic and other risks with a face value of $2 billion at midyear 2004. SAS and SAP say they also are looking at alternatives.

"A lot of things might be under consideration in terms of some other more creative financing arrangements," Hill says. "We're in a position to probably assume more of the risk ourselves and really look at this as more of a catastrophe cover in the sense that we might have multiple customers that have the same problem that end up costing us something because of a single occurrence as opposed to an isolated claim here or there," she says. SAP has been evaluating alternative risk financing for about two years and has taken some preliminary steps but hasn't finalized anything yet, Haitsch says.

Among the issues that risk managers face in dealing with insurers is the relatively young age of the software industry.

"Insurance is very much based on historical costs to give a prediction of what future claims might look like," Hill says. "Since there hasn't been much history in this industry we've been handicapped by the opportunity to leverage those historical costs to make a better case for more attractive premiums."

To manage costs effectively, risk managers need to market their companies to the underwriter community and build long term relationships, Haitsch says.

"The savvier risk managers are really taking an aggressive approach to this, recognizing that they're the face of their company in terms of the underwriting community," SAP's Haitsch says.

INDUSTRY RISK REPORT SOFTWARE

In the world of intellectual property, there are no hurricanes. But
that doesn't make mitigating the risks associated with patent
infringement or piracy any easier. Find out how people like
Microsoft's Lori Jorgensen avoid invading other people's ideas ...
all while they try to protect their own.

Company Name   Location         CRO                  CFO

Veritas        Mountain View,   Kevin Olson,         Edwin J. Gillis
Software       Calif.           Treasurer

Symantec       Cupertino,       Sonja Schamel,       Gregory E. Myers
               Calif.           Treasury Analyst

Siebel         San Mateo,                            Kenneth A. Goldman
Systems        Calif.

Oracle         Redwood City,                         Harry L. You
               Calif.

Microsoft      Redmond,         Lori Jorgensen,      John G. Connors
               Wash.            Director, Finance/
                                Risk Management

Intuit         Mountain View,   Tom Hale             Brad Henske
               Calif.

Compuware      Detroit,         Roger Maggid,        Laura L. Fornier
               Mich.            Risk Manager

Computer       Islandia,        Responsibility       Jeff Clarke
Associates     N.Y.             shared by numerous
Intl.                           executives

               2004 Total        No. of      Primary
Company Name   Revenue           Employees   Insurance   Captives

Veritas        $1,747 million    6,518       Withheld    No
Software

Symantec       $1,870 million    5,300       Withheld    No

Siebel         $1,354 million    4,972       Withheld    No
Systems

Oracle         $10,156 million   41,658      Withheld    No

Microsoft      $32,187 million   55,000      AIG         Fidalgo
                                                         Insurance Co.
                                                         (Vt.); Orcas
                                                         Ltd. (Bermuda)

Intuit         $1,581 million    6,700       Withheld    No

Compuware      $1,264 million    8,660       Withheld    No

Computer       $3,276 million    15,300      Withheld    No
Associates
Intl.

Company Name:  Risk Exposure:

Veritas        Dependence for revenue on only a few product lines;
Software       failure to manage distribution lines effectively or
               failure to maintain business relationships with
               distribution partners; risks resulting from
               international sales and operations; product defects
               resulting in liabilities and losses; legal expenses
               resulting from SEC investigations into business
               transactions with AOL-Time Warner; pending class action
               and derivative action lawsuits that may demand much
               attention and legal expense and may adversely affect
               business.

Symantec       Risks related to intellectual property, including piracy
               and any unauthorized use or copying of software; risks
               related to recent acquisitions, including the market's
               acceptance of acquisitions, disruption of ongoing
               business, and difficulties entering other markets the
               company does not have prior experience operating in;
               market risks related to fluctuations in market prices,
               interest rates and foreign currency exchange rates.

Siebel         Changes in domestic and international business, economic
Systems        and political conditions; size and timing of individual
               license transactions; hostilities and/or terrorist
               attacks involving the United States could adversely
               affect business; the unpredictability of new projects
               like the Siebel CRM OnDemand and its application
               services; successful integration of other acquisitions;
               additional risks created by distribution channels;
               software errors or defects could reduce revenues;
               periodical restructuring of the sales force, which can
               be disruptive.

Oracle         Financial and strategic risks associated with
               acquisitions; customer, product and intellectual
               liability associated with sale of a third party's
               products after acquisitions are completed and
               implemented; risks and legal proceedings associated with
               acquisition of PeopleSoft; disruptions of indirect sales
               channel affecting operating costs; sales to government
               clients that could result in investigations, audits or
               early termination; U.S. Congressional action associated
               with extraterritorial income case could adversely affect
               business.

Microsoft      Foreign currency, interest rate and equity price risks;
               changes in federal legislation; heavy reliance on
               third-party manufacturing; piracy and intellectual
               property rights; cyberterrorism and reputational risk.

Intuit         Exposures resulting from increasing complexity and
               unpredictability of revenue streams; problems with
               configuration or integration of new information systems;
               exposures related to failure of technology systems;
               exposures related to business integration of recent
               acquisitions; risks related to customer privacy and
               security and government regulation; risk that protection
               of the company's intellectual property will not be
               adequate; the risk of unintentionally infringing upon
               the intellectual property of others.

Compuware      The pending lawsuit filed against IBM may result in
               substantially increased legal fees and potential market
               losses if IBM attempts to undermine Compuware's market
               base; risks associated with operating in foreign
               markets, foreign currency risk and the need to comply
               with U.S. and international export laws; acts of
               terrorism or war that can cause destruction to property
               or interruption of normal business operation can have an
               adverse effect on business.

Computer       Length of sales cycle; introduction of new hardware;
Associates     general economic conditions in countries where customers
Intl.          do a substantial amount of business; changes in foreign
               currency exchange rates; licensing transactions; results
               of litigation, including government and internal
               investigations; the adverse effects of downgraded credit
               ratings; the preservation of intellectual property
               rights.

Company Name   Risk Strategies:

Veritas        Foreign currency hedging programs consisting of forward
Software       contracts to mitigate exposures to foreign currency
               exchange risk.

Symantec       Copyright, patent and trademark laws to manage the risks
               involved with protecting intellectual property; foreign
               currency risks are hedged using forward contracts.

Siebel         The company maintains reserves for eventual credit loss;
Systems        foreign exchange contracts to mitigate foreign currency
               risk.

Oracle         The company has established a program that uses
               primarily foreign currency forward contracts to offset
               risks associated with the effect of foreign currency
               exposures and to hedge net assets of some international
               subsidiaries.

Microsoft      Microsoft continues to mitigate risk through operational
               or contractual means. Depending on the category of risk
               and the probability and magnitude of loss, it addresses
               risk with either insurance or financial instruments (if
               the risk is financial market related).

Intuit         Ongoing evaluations of customer credit and continuing
               limitations on amount of credit extended to manage
               accounts receivable risks; maintenance of reserves for
               estimated credit losses.

Compuware      The company does not use derivative financial
               instruments to manage market risk; it does use forward
               foreign exchange contracts to manage foreign currency
               risk.

Computer       Investment of excess cash into debt instruments of
Associates     government agencies and the use of fixed-rate debt
Intl.          instruments to mitigate market interest rate risk; the
               company does not enter into foreign exchange derivative
               transactions.

MICHAEL FITZPATRICK, a former journalist and editor with Reuters, writes frequently on technology issues for Risk & Insurance[R].

COPYRIGHT 2005 Axon Group
COPYRIGHT 2005 Gale Group