Slashdot Mirror

← Back to Stories (view on slashdot.org)

[H|Cr]acker Insurance

Posted by ryuzaki0 on from the thats-a-lotta-insurance dept.

Spellbinder writes "yahoo has an article on Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."

6 of 175 comments (clear)

  1. Re:Product liability instead by phorm · · Score: 2, Informative

    Automotive: Your car crashes due to a defect, you die
    Drugs (medical): Your pharmacist doesn't check to find that the drug prescribed is something you're listed as being highly allergic to, you die.

    SQL Server crashes: You lose money, you require stress leave, but in most cases it isn't life or death.

  2. Re:Product liability instead by jackdoodle · · Score: 2, Informative

    I completely agree...and insurance is likely one of the best ways to force this sort of responsibility. Bruce Schneier (quoted in the article) has been talking about this for a long time; his monthly newsletter addresses the subject at reasonable length, in the section "Liability and Security", from his April CryptoGram. http://www.counterpane.com/crypto-gram-0204.html

  3. Re:An analogy by ajakk · · Score: 4, Informative

    The important word there is story, considering this is false. Snopes

    --
    Come play Heroes of Might and Magic Mini online.
  4. Re:Insurance? by WPIDalamar · · Score: 4, Informative

    well.. duh... someone has to pay the claims

    If MS offers huge discounts for windows insurance, then the would loose GOBS of money when it comes time to pay out those insurance claims. I'm guessing the profit margin on insurance generally isn't as big as it is on software! They would essentially have to pay for their own bugs.

  5. Re:More info by Anonymous Coward · · Score: 4, Informative

    SANS Institute lists those providing such insurance, so you could contact the companies directly, but one arrangement with Lloyd's of London makes it cheaper for Counterpane Security customers, see link at the bottom. Here's the Sans info:

    http://www.sans.org/rr/casestudies/insurance.php

    Who Provides Hacker's
    Insurance

    Providing insurance for cyber loss is a new industry. Most insurance
    carriers do not have the necessary expertise or tools to adequately
    assess the needed coverage. As a result, there are currently only a few
    companies offering hacker's insurance. However, with the financial
    losses continuing to escalate, the demand for this protection will also
    increase.

    Lloyd's of London has created an insurance product that incorporates
    elements of crime coverage and property coverage, addressing specific
    exposures faced in our computer age.

    The product, Computer Information & Data Security Insurance (CIDSI),
    combines theft and malicious damage protection coupled with business
    interruption coverage. CIDSI further provides expert computer security
    surveying and loss control services to mitigate exposures and losses.
    The product is a comprehensive program that can help address significant
    exposures.

    Other vendors of computer crime insurance include:

    * Internet Security Systems (www.iss.net)
    * Counterpane
    (www.counterpane.com)
    * J.S. Wurzler Website Insurance & Security
    (www.jswum.com)
    * Axent Technologies (www.axent.com)
    * Insuretrust.com
    LLC (www.insuretrust.com)
    * Ace Ltd. (www.acelimited.com)

    Cost

    Liability is still difficult to calculate. An example of one method for
    calculations is to average a Web site's revenue over several months and
    divide for an estimate of the hourly cost of downtime. However, this
    calculation doesn't consider account traffic and potential customers
    lost as the result of service interruption.

    Insurers typically determine policy costs according to the company's
    size, the volume of business a company conducts on the Web, and the
    effectiveness of company's security policy. Some insurers offer a
    discount if you have an affiliation with certified information security
    experts.

    Policies can carry premiums starting at $7,000 all the way to $3 million
    dollars. Lloyd's of London has recently announced a policy to cover up
    to $100 million dollars but the price of the premium has to be
    negotiated specifically with Lloyd's.

    What to look for in a policy is addressed here:
    http://216.239.53.100/search?q=cache:nLr6A8 YsCgcC: practice.findlaw.com/
    worldbeat-1202.html+%22hack er+insurance%22&hl=en&i e=UTF-8

    Counterpane customers can get it cheaper through an arrangement with Lloyd's of
    London because they are their customers:

    http://www.counterpane.com/pr-lloydsqa.html

  6. Re:Wow by ChrisTaylor2904 · · Score: 2, Informative
    I'm an actuary by training, and we call this issue "moral hazard".

    One of the best ways to reduce the risk to the insurance company is to introduce "self-insurance" where the customer has claim to bear some of the cost of any claim - like the excess on your car insurance policy. For these policies, the customer's probably liable for something like the first $5 or $10 million of any claim.

    I'd also expect the insurance company to follow up any large claims with another audit, to see if any of the security controls and procedures had become lax since the time the policy was taken out, and there'll be a standard clause to reduce/invalidate the claim if anything's found in this audit.