just a couple of points of clarification: 1. many clients--amazon being one, the VISA CISP standards being another, now require that all vendors--be they trading partners or service providers demonstrate both adequate infosec/network security as well as proof of insurance. 2. the insuranc emarket has hardended dramatically over the past year--including professional liability coverage such that both price and deductibles have risen 3. it is highly unlikely that a client's business interruption cvge or their overall property policy for that matter, will respond to most types of damage that can be caused by a tech service provider. The property insurers(business interruption cvge is part of an overall property cvge and is not usually sold on a stand alone basis) have for the last year placed an exclusion on their policies that excludes from coverage any loss due to the destruction, corrution, etc of data. The exclusion goes on as to other issues like no coverage for loss arising out of a computer virus, etc. The point being--and recent federal case law has borne this out--tradtional property policies cover only physical damage to/loss of tangible property--data beign deemed "intangible" for the purposes of insurance. Regards, Bob Parisi Robert A. Parisi, Jr. Senior Vice President and Chief Underwriting Officer AIG eBusiness Risk Solutions 80 Pine Street, 8th Floor NYC, NY 10005 Phone: 212-770-1691 Fax: 443-381-2473 (direct) Fax: 212-770-5375 (general) Pager: 877-356-3223 Cell: 917-439-5844 8773563223at_private <mailto:8773563223at_private> robert.parisiat_private <mailto:robert.parisiat_private> www.aignetadvantage.com NOTICE: This e-mail message and all attachments transmitted with it may contain legally privileged and confidential information intended solely for the use of the addressee. If the reader of this message is not the intended recipient, you are hereby notified that any reading, dissemination, distribution, copying, or other use of this message or its attachments is strictly prohibited. If you have received this message in error, please notify the sender immediately by telephone (212-770-1691) or by electronic mail (robert.parisiat_private), and delete this message and all copies and backups thereof. Thank you. -----Original Message----- From: misat_private [mailto:misat_private] Sent: Tuesday, November 26, 2002 8:37 PM To: David Wray Cc: pen-testat_private Subject: Re: Insurance i agree with all of the explanation and education part. it's part of the sales process. insurance is to protect against unexpected liability. if neither you nor your client believe there will be a meltdown, who's insisting on insurance? and the deductibles are so high, chances are you'll never use your coverage. i try to get my clients to give permission and to assume the liabilities for my infosec testing. (their business interruption insurance will often protect against something awful.) of course, if my ordinary testing crashes their systems, so can bugs or insiders, and they typically assume those liabilities, so why not the costs involved in my testing? for physical security testing (which i do) there are often 3rd parties involved (e.g. colo or hosting facilities, and other tenants in the facility), and i need multiple permissions, and i need to act as the agent of the tenant in the facility. i agree not to cause damage to people or property in my testing. (i suppose i could get electrocuted crawling around in the ceiling or the floor, and that's my risk. i cracked a ceiling tile once. that was my cost, but they said "don't bother".). i don't typically test whether the UPS switchover works by turning off the colo building power, because of the exposure to other tenants whose permission i'm unable to get. i've been surprised by how long ago this sort of thing has been tested. in many cases, my testing is intended to test the time-to-detect, time-to-recover or incident response. the cost of the test is a measure of the preparedness of the target of evaluation. advance warning resulting in heightened awareness or artificial minimization of the test just to minimize possible costs etc. reduces the realism of testing. On Tue, Nov 26, 2002 at 05:57:29PM -0000, David Wray wrote: > HI Lisa > > In our experience (In the UK at least), the Insurance side of pen testing is > much like the Legal side, i.e. you have to patiently explain to someone > that's never heard of pen testing what you do, why you do it, who you do it > for, the pitfalls of pen testing, the likely outcome, expected turnover etc > etc. We have also had to show our working practises, how we update the > testing, the CVs of the testers, our contracts etc etc. > > Our "You missed something and we've been hacked" insurance is covered under > our Professional Indemnity insurance, as is our "You've just killed our > e-commerce platform and it won't restart" insurance. In my experience, it's > the experience and time served by your testing team that seems to have the > biggest swing on premiums. How much cover you get is a good question, it's > never enough! > > > Regards > > Dave Wray > Sec-Tec Ltd > www.sec-tec.co.uk > > ----- Original Message ----- > From: "Lisa Dokes" <securitylistsat_private> > > > > > ________________________________________________________________________ > Sec-Tec Ltd, CLAS Government listed specialists in information security professional services. Visit http://www.sec-tec.co.uk for more information on our services. This e-mail has been scanned for possible virus contamination. However, we recommend that all recipients also scan this message. > > ---------------------------------------------------------------------------- > This list is provided by the SecurityFocus Security Intelligence Alert (SIA) > Service. For more information on SecurityFocus' SIA service which > automatically alerts you to the latest security vulnerabilities please see: > https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/ ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Mon Dec 02 2002 - 14:19:16 PST