[H|Cr]acker Insurance

Spellbinder writes "yahoo has an article on Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."

Wow

If they'll pay that much for insurance, I wonder how much they'd pay for a SysAdmin that secures things properly.

Re:Wow

[WPIDalamar]

I bet not as much... These companies are looking for financial stability. So they make X number of dollars no matter what.

When a company buys insurance they are 100% guarenteed to recover losses from a crack.

When a company spends that money on an admin, the chance for being broken into goes down, but will never be 0%

Disclaimer: This assumes the company negotiates a "good" insurance contract, and fullfills all of their requirements.

Re:Wow

[error0x100]

When a company buys insurance they are 100% guarenteed to recover losses from a crack.

When a company spends that money on an admin, the chance for being broken into goes down, but will never be 0%

Taking out h/crack insurance, then, lowers the incentive for additionally investing in proper network security (e.g. a decent sysadmin). The companies, if the insurance leaves them feeling "financially safe" from an attack, will be even less inclined than they are now to implement proper security. In "normal" insurance, this sort of thing amounts to negligent/deliberate behaviour that in some cases will make the insurer decide not to pay. If enough people leave their networks vulnerable, and the insurers are struggling to stay afloat as a result, then they are going to start getting more strict about the conditions of the insurance vs premiums (as happens in auto insurance, more security features on a car imply general lower risk and thus lower premiums). I don't see why it should be any different here. If companies are making almost no effort whatsoever to secure their networks (as many companies do now), then the insurer either should refuse to cover them, or they should have to pay much larger premiums. (Although then it starts to look like the old "then whats the point of insurance" argument; disability insurance providers in my country routinely refuse to even consider covering people with a medical past that includes things like even very minor back problems. In other words, they will only cover people who do not represent much of a risk at all). However, in the case of 'network insurance', its deliberately irresponsible behaviour that places one in a high risk group (e.g. like smoking).

Re:Wow

[Tackhead]

> If they'll pay that much for insurance, I wonder how much they'd pay for a SysAdmin that secures things properly.

These are PHBs we're talking about.

The answer is "$35,000, and $36,000 if he has an MCSE".

Re:Wow

[rgmoore]

I bet not as much...

You are most likely wrong. Insurance companies aren't stupid, and they're not going to charge everyone the same rate any more than auto insurance companies charge everyone the same rate regardless of their driving record. They'll give better rates to companies that have good security practices and good track records than ones with bad practices and records. They may even refuse to offer insurance unless the companies follow specified practices; I'd guess that hiring certified administrators would be one required practice. This is similar to the way that insurance companies won't sell you auto insurance if you don't have a driver's license, or some homeowners insurance companies won't sell burglary insurance unless you have a home security system. I'd also expect that a well run insurance company would not offer 100% coverage. They'll probably only offer 80-90% coverage, so that companies still have a strong incentive to protect themselves.

FWIW, there was some discussin of these insurance policies on /. in the past. One article pointed out that insurance companies were charging more if a company used Windows than if it ran Linux or a Unix variant because of Windows's inferior security track record. If they're already smart enough to do that, you can bet that they'll be smart enough not to let companies slack off in their efforts to secure their computers after they've bought the insurance.

Re:Wow

[patter]

The companies, if the insurance leaves them feeling "financially safe" from an attack, will be even less inclined than they are now to implement proper security

Nope. You don't understand much about insurance if you think that :).

I worked in that industry for 5+ years, this is a second/third career for me.

Insurance companies are above all else cautious. They make money by not paying claims. That is not to say they do not pay legitimate ones, they do do that, contrary to popular opinion.

The do however analyse risk, and charge money to their customers to offset the potential payout that risk represents.

I would be willing to bet that a prerequisite for obtaining said 'crack' insurance would be passing an audit by one of their security folks, particularly when obtaining big policies with large potential payouts.

It's no different than fire insurance, if you want a million dollars of fire insurance, they're going to come down, and make sure you're not running an explosives factory in which everyone smokes at their 'station'.

Insurance doesn't encourage sloppiness, in fact, in North America, many of the early fire brigades were sponsored by and run by insurance companies themselves.

Insurers don't want to pay those claims any more than you want to be put out of business by a cracker. They'll ensure you've got an adequate plan, and they'll ease the financial blow, but believe me, what they won't do is let you drop all pretense of security, just because you're insured.

In fact, just before Y2K, the entire industry rushed to put in 'exclusions' -- i.e. they wouldn't pay a penny for Y2K related catastrophes, unless you paid HUGE dollars to them (because they hadn't had the benefit of collecting money for that specific risk).

This is just a sign of the times, Insurance companies are getting more in tune with technology, and likely have a panel of experts they can call on for inspecting/auditing, and assessing claims against that kind of risk.

Product liability instead

[azoidx]

what about product liability? automakers, drug manufacturers and every other manufacturer is liable for their products in some way. How come software companies are exempt from this?

Re:Product liability instead

How come software companies are exempt from this?

Because you clicked "Yes, I agree".

Re:Product liability instead

If someone steals a F-150 and runs over a person, is Ford liable? If someone takes 50 valium, can the drug company be sued? People are taking an existing product, and vandalizing it to cause damage to someone else. The person who should be sued is the perp not the oem.

Re:Product liability instead

[TheTomcat]

1) End-User License Agreements (EULAs)
2) We don't REALLY want this. It's incredibly expensive to have crash-tests / drug-tests done; Open Source software would suffer greatly if it was "controlled" in this way.

S

duh!

[MissMyNewton]

the *best* insurance is a competent admin...

nothing else will do!

Hacker vs. Cracker

[GuyMannDude]

I can see it now: company tries to claim a loss due to having their network compromised.

Insurer: I'm sorry but we have rejected your claim.

Insured: What the hell do you mean? This is why we bought hacker insurance!!

Insurer: Yes, but you bought "hacker" insurance. If you wanted to be reimbursed for a loss like this, you should have bought our "cracker" insurance! But you're in luck! We've got a special offer now! If you buy cracker insurance and already have purchased hacker insurance from us, you will save 10%! I guess today is your lucky day after all!

Insured: You insurance companies are vultures! Profiting off our loss! Well, okay, I don't want to think any more about it. Just sell me whatever insurance you think is best for me.

Insurer: Just what I was hoping you'd say! Sign here, here, and here, please! No, don't bother reading that. It's just a bunch of legal jargon...

GMD

curious ...

Would there be a higher premium for those running a Microsoft OS vs. oBSD?

Insurance HA

[BJZQ8]

Anybody that would willingly buy insurance is at least half-nuts. If you DO buy insurance and DO get broken into they will send out swarms of "adjusters" and question how this could have happened, and how lax your security must be. Then they will proceed to up your premiums to make back what they paid you for the "damage." So they will end up getting THEIR money anyway. So my advice would be to take that money you would have spent on insurance, and buy a firewall and a decent admin to run it.

mitigating risk

This makes a whole lot of sense, because it allows companies to spread the cost of computer crime over time.

Every company expects numerous break ins, vandalism, data theft, etc.. The problem is that it is hard to budget for this because the value of the damage is different in every case.

Buying insurance for the attacks allows shortfalls in the data crime budget to be covered, and provides benefits for budgeting and tax purposes by increasing stability in the face of constant inevitable loss.

Will this make better security?

[WPIDalamar]

The article went on to talk about some "hoops" companies must go through to get insured. Some of these hoops included external audits, and assurances that security is important. Perhaps this kind of thing can actually increase security since it gets people higher up (and not the techies) thinking about it.

If you're board of directors tries to get cracker insurance, and the insurance company fails you as being to big of a risk .... I bet that board will step up to the plate for security funding!

Might actually help

[AppHack]

The interesting thing is that if companies followed the requirements of the insurance company to get the hacker insurance, their security would improve tremendously. Many companies don't even perform the simple tasks the insurance companies will require. That alone would help tremendously.

Ironically, if more companies would conduct assessments, patch vulnerable systems, setup security policies, etc. the demand for this type of insurance might actually diminish. Little chance of that. :-)

Re:Might actually help

[marko123]

Excellent point. Home contents insurance is a good example of this. Minimum requirements in Australia are proper locks on doors and windows (hint, hint, MS). They expect you to deter the basic burglar attacks by doing things that you might not if you didn't care about insurance. You also get a discount with some brokers if you have an alarm system installed. This analogy applies well to networks.

More info

[jhouserizer]

Does anybody know where documentation can be found on how "risk assessment" is done for this type of insurance?

This would be a very interesting way to gauge what software and network hardware an establishment should/should not be using.

It would be very interesting to see where Microsoft products fall in the mix.

Re:But how would they cover the debt....

[PhxBlue]

Better yet, how do you even determine the losses? The only science I've seen of it to date is: Company A says, "We lost $x amount when we lost our connection for 2 hours because of this attack," with nothing to back up the dollar figure.

This insurance idea could be a good one, simply because it might force businesses to justify their losses when network attacks occur. I'm not going to hold my breath, though.

Force majeure?

[GQuon]

One solution could be to declare it a result of force majeure: "An act of God", an event that could never be anticipated. Somehow I don't believe that would hold up in court.
The good thing about cracker insurance, is that the insurance companies will impose terms that the insured parties have to comply with. And they can give discounts on premiums if some measures are taken by the insured. How about a 10% discount for switching from Windows to a secure system ;-)

Insurance?

[chunkwhite86]

I see some posts here about insurance cost of Windoze vs. oBSD. oBSD is about as secure as it gets - certainly it's several orders of magnitude stronger than the toys from Redmond. A Logical human would conclude that it should be much cheaper to insure oBSD than Windoze. Not necessarily so...

The problem here, is that Microsoft has already admitted that their products have crap security. What's preventing M$ from opening their own (or buying out another) hacker insurance co. and giving large discounts to Windoze based corporations? Would other corporations stick with a non-M$ operating system if they had to pay double the insurance premium and/or accept reduced coverage?

There is definite potantial for abuse here.

Re:Risks...

*cough* he said *pretty*, not *coked-out*, that being said This looks as though it is still fairly half-baked at this stage, concidering how the article states first the client needs to pony up for an independant security probe (read bend over and take it to the tune of $50,000), and the pay outs are only about 25 to 1 .... christ I can get car liability insurance of a quarter million for just over a grand annually.... in New Jersey! and finally apparently all of that cash seems to be used for throwing into the mouth of a hungry fire considering how often certain attacks will be deemed unisurable. I repeat not yet ready for prime time.

Re:An analogy

[treat]

Thats like the story of NASA inventing this hyper-super-duper centrifugally balanced gravity boosting ballpoint pen for their astronauts and the Soviets bringing along a pencil.

I don't know about you, but I wouldn't want bits of (conductive) graphite floating around if *I* were in a space ship.

Bean counters can understand now!

[Eric_Cartman_South_P]

When the insurance rates for Linux and BSD are less than Windows (surely this will become the case), even managers and bean counters will see which is better. This is good news.

SURELY I would pay less insurance if I'm using all FreeBSD 5.0 boxes vs. Windows NT 4.0 SP1 boxes! Let's see what the rates turn out to be. Again... very good news!

Re:But how would they cover the debt....

[bleckywelcky]

Although I do agree with you that whenever someone's systems or networks go down they start throwing around random numbers indicating their losses, it would be pretty easy to calculate the loss to a relative accuracy. Just get all the numbers for the amount of business done during that period using the systems that are down and average to the time period that the systems were down. Say company XYZ does business through a phone system and a website. Say they make $730 dollars a year and that $365 of that come from the phone system and $365 of that comes from the website. Now, say the website goes down for a single normal business day (not some holiday or otherwise, just a random normal day) and that normally their website is up 24/7/365.

Loss = ($365/year)*(1 year/365 days) = $1/day on average So, they lost $1 for that single day.

Now, for example, let's say that this is the company Dell. From Aug 2, 2001 to Aug 2, 2002 Dell took in revenues equalling $32.054 Billion. So, they bring in ($32.054)/(365) = $0.087819 Billion per day, or $87.819 Million in one day. Now, let's approximate that %50 of that is from various computer networks (kiosks at office stores, home users online, business users online, etc) and %50 is from their phone systems (I really have no idea as I could not find any actual percentages). That means that if Dell's networks all went down for a single day, they would lose $43.910 Million in sales.

The really hard part is estimating how network slow downs effect the business. But then again you could just see what the average expected sales for that day were and then what the actual sales for that day were and find the difference. If you have some data, statistics can handle the rest. But it sure does seem like some of these CEOs pull numbers out of their arses and throw them around to get sympathy or something. :\

Re:Not a bad idea

[pmz]

The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.

This is how insurance companies can actually act on behalf of the consumers. While personal injury lawyers make insurance companies out to be money-grubbing scum-sucking urine-soaked bug feces, we can't forget that those same insurance companies finance car crash testing and safety reporting for the their own and the public's benefit. We also can't forget it is the insurance companies who can actually challenge run-a-way medical costs for their own and the public's benefit. The same goes for construction (flood plains, building codes, etc.), too.

Insurance companies could be Microsoft's worst nightmare.

Re:But how would they cover the debt....

[bmajik]

Good question.

This is what actuaries do. They determine how to make money off of policies, they determine risk exposure and how to mitigate that risk, etc etc.

To have an actuary that could successfully do a plausible job at this, you'd need one that was a computer security and loss expert.

My father was the youngest person to become an FSA (Fellow of the Society of Actuaries) and last year was the Computer Science chairperson for the SOA (Society of Actuaries).

As both an accomplished actuary (to say the least) and an accomplished computerphile (are you fluent in 360 assembler ?) i feel like he's pretty well versed to speak on this matter.

I can tell you quite confidently that the cross section of actuaries, and people who are computer security experts in the united states is roughly:

0 persons.

When the "hacker insurance costs more for IIS" article came out a year ago i talked it over with my dad. He said it was, "bullshit", and went into a small rant about how ridiculous and sensationalist it was.