>From our perspective writing a policy is akin to legalized gambling. We accept your premiums and bet we can invest it and get a return on it before we have to pay it back as a claim. We have been insuring mobile homes, RVs and travel trailers for the last 45 years. In that time we've gotten to know these products really well. We insure against the usual things - fire, theft, natural causes (tornadoes, hurricanes, floods, lightning, etc). We have a pretty good idea of what to expect in terms of exposures from this stuff. We can calculate our odds pretty well since the exposures are pretty well known. So Lloyds brings in some "experts" to review our security policy, inspect our network, review our user training, interrogate all the users to make sure they're honest, bla, bla, bla and they certify us as insurable (secure). We're all set, we can go back to sleep now. The next month we have hurricanes in Florida, floods in CA, tornadoes in Indiana. Someone decides to have some fun and pushes through a hole in the new firewall system we just installed. This brings our network down so we can't process claims. After a day or two we'll be history. So Lloyds pays us a million $$, just enough to pay for gracefully closing the doors. Or say Lloyds insures a lot of companies who use version X.0 of OS YYY as the basis for their firewall system. Of course they're all insurable (secure), since they've been certified by the "experts". So what happens to Lloyds when the next killer 'sploit is used on the majority of these systems all at once. I don't see how Lloyds can calculate the odds of loss from an exposure they don't even know exists. At least we're pretty sure we won't see a bunch of mobile homes destroyed by volcanoes erupting in Tampa. We are in the midst of installing a firewall and a direct Internet connection. We have researched firewall systems very carefully for about a year. We have put an enterprise wide security policy in place. We're removing the back doors. We have started a security awareness program. We also feed and house some of the "experts" every now and then. These types of actions are what make up our insurance policy. Buying insurance against "hackers" might actually make some companies less secure. They have been certified as insurable (secure), so they can put security on the back burner until its time for next year's checkup, then they get whacked. But hey, they got insurance. Kevin Tyrrell Foremost Insurance Co. Disclaimer: These opiini^H^H damn! ^H^H ^Q ^[ .... :w :q :wq :wq! ^d ^X ^? exit X Q ^C ^? :quitbye Ctrl-Alt-Del ~~q :~q logout save/quit :!QUIT ^[zz ^[ZZZZZZ ^vi man vi ^@ ^L ^[c ^# ^E ^X ^I ^T ? help helpquit ^D ^d !! man help ^C ^c :e! help exit ?Quit ?q Ctrl-Shft-Del "Hey, what does Stop L1A d..." -----Original Message----- From: owner-firewall-wizardsat_private [mailto:owner-firewall-wizardsat_private]On Behalf Of David Lang Sent: Tuesday, April 28, 1998 9:52 am To: Marcus J. Ranum Cc: Firewall Wizards List Subject: Re: Lloyds to offer hacker insurance -----BEGIN PGP SIGNED MESSAGE----- Remember what insurance boils down to, a gamble ... snip ...
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 12:57:27 PDT