Re: Lloyds to offer hacker insurance

From: Marcus J. Ranum (mjrat_private)
Date: Mon Apr 27 1998 - 06:35:45 PDT

Next message: Emiliano Kargieman (CORE): "Re: logging questions"

Previous message: Alfred Huger: "Re: ATM security"
Maybe in reply to: Adam Shostack: "Lloyds to offer hacker insurance"
Next in thread: Paul D. Robertson: "Re: Lloyds to offer hacker insurance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Adam Shostack wrote:
>I'm very curious as to what people think of the idea of insurance for
>infosec failures.  Will it encourage standards of due dilligence and
>due care for the industry, the way bank insurance has driven bank
>safes to be stronger and stronger?

I'm sure that it will, so it's a good thing. Presumably the insurance
premium will be somehow tied to whether or not you observe due diligence
at varying levels. I expect they tie it to some kind of review of
existing practices -- much like when you get a million dollar life
insurance policy in the US: they draw blood, do an EKG, and urinalysis.
Very different from getting a $50,000 life insurance policy. You'll
note the quote in the article from the guy from Asset Management
Solutions, Inc, which helps with the assessments. About a year ago
NCSA (now ICSA) did a similar deal where you could get web site
insurance through Prudential, if you first passed their test. I
suspect a lot of this is really a game to sell a high-priced ISS
scan, which probably costs more than the insurance policy.

Of course, as the CEO of a company that makes the Internet's most
butt-kicking network event recorder, I'm thrilled to death to see
this kind of thing, because it'll make NFR money. :) One of the
things that's got to come up if anyone ever tries to lodge a claim,
is proving that the damage was covered by the insurance! Let's say
you have "firewall insurance" --- OOOPS you gotta be able to prove
they broke in through the firewall, not the dialin server, because
you don't have "modem pool insurance"  And was that attack really
covered by "firewall insurance"? It might have been an attack
applet not covered because you didn't pay for the "java insurance"
rider policy. Etc, etc. There's infinite room here for finger
pointing. It's going to drive a whole new market for event
recording, if it takes off.

My guess is that "security insurance" isn't going to take off in
a big way. Companies are already sensitive about spending $$ to do
security in the first place -- why would they spend $$$$ to avoid
it?

mjr.
--
Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
work - http://www.nfr.net
home - http://www.clark.net/pub/mjr

Next message: Emiliano Kargieman (CORE): "Re: logging questions"
Previous message: Alfred Huger: "Re: ATM security"
Maybe in reply to: Adam Shostack: "Lloyds to offer hacker insurance"
Next in thread: Paul D. Robertson: "Re: Lloyds to offer hacker insurance"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:56:59 PDT