Slashdot Mirror
[H|Cr]acker Insurance
Spellbinder writes "yahoo has an article on
Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."
If they'll pay that much for insurance, I wonder how much they'd pay for a SysAdmin that secures things properly.
if everyones site went down - as it almost did with the latestVuln in MSSQL - how would anyone ever cover the losses?
fp
what about product liability? automakers, drug manufacturers and every other manufacturer is liable for their products in some way. How come software companies are exempt from this?
the *best* insurance is a competent admin...
nothing else will do!
---
Information wants...you to shut your pie hole.
I can see it now: company tries to claim a loss due to having their network compromised.
Insurer: I'm sorry but we have rejected your claim.
Insured: What the hell do you mean? This is why we bought hacker insurance!!
Insurer: Yes, but you bought "hacker" insurance. If you wanted to be reimbursed for a loss like this, you should have bought our "cracker" insurance! But you're in luck! We've got a special offer now! If you buy cracker insurance and already have purchased hacker insurance from us, you will save 10%! I guess today is your lucky day after all!
Insured: You insurance companies are vultures! Profiting off our loss! Well, okay, I don't want to think any more about it. Just sell me whatever insurance you think is best for me.
Insurer: Just what I was hoping you'd say! Sign here, here, and here, please! No, don't bother reading that. It's just a bunch of legal jargon...
GMD
watch this
Do they cover your bandwidth bill when some random infected virus sends packets to your secured site even if you dont get infected?
Thats like the story of NASA inventing this hyper-super-duper centrifugally balanced gravity boosting ballpoint pen for their astronauts and the Soviets bringing along a pencil.
I have found a truly wonderful proof of Fermat's Last Theorem, but unfortunately this sig is too small to contain it.
Hartford Steam Boiler offers good rates, but requires intrusive inspections. Before they insure something, they inspect and provide a list of things they want fixed. Then they inspect again, after the problems are fixed. Only then will they provide insurance coverage. They then have the right to inspect at any time, and they use it.
This works great for steam boilers (where they have great expertise) but they haven't tried to expand much out of their niche. Even though they do cover some computers, they're still mostly focused on boilers. It's good that others are now moving in that direction.
This is the right approach. When Hartford Steam Boiler started in 1866, steam boilers blew up regularly. Within a few years, boilers insured by Hartford Steam Boiler weren't blowing up. A similar approach may eliminate computer crashes as a major problem. The day may well come when you can't buy insurance because you have an insecure OS on the premises.
This makes a whole lot of sense, because it allows companies to spread the cost of computer crime over time.
Every company expects numerous break ins, vandalism, data theft, etc.. The problem is that it is hard to budget for this because the value of the damage is different in every case.
Buying insurance for the attacks allows shortfalls in the data crime budget to be covered, and provides benefits for budgeting and tax purposes by increasing stability in the face of constant inevitable loss.
Guido: Nice network you gots here, it would be a shame if something where to happen to it.
Customer: What do you mean?
Nunzio: You know, accidents, like your customer records being posted on slashdot. Accidents happen you know.
Guido: But your in luck, my brother and me can, for a small fee, grantee your network wont be hacked by disreputable people like us. Think of it as "insurance".
"Have you ever thought about just turning off the TV, sitting down with your kids, and hitting them?"
Car insurance is cheaper if you have an ignition disabler, and other anti-theft features.
If companies actually buy cracking insurance, they will want to get it at a low price.
The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.
How high are the premiums on MS SQL 2000?
You could clearly point to the insurance premiums and show how much bad security is costing the company.
The article went on to talk about some "hoops" companies must go through to get insured. Some of these hoops included external audits, and assurances that security is important. Perhaps this kind of thing can actually increase security since it gets people higher up (and not the techies) thinking about it.
.... I bet that board will step up to the plate for security funding!
If you're board of directors tries to get cracker insurance, and the insurance company fails you as being to big of a risk
The interesting thing is that if companies followed the requirements of the insurance company to get the hacker insurance, their security would improve tremendously. Many companies don't even perform the simple tasks the insurance companies will require. That alone would help tremendously.
:-)
Ironically, if more companies would conduct assessments, patch vulnerable systems, setup security policies, etc. the demand for this type of insurance might actually diminish. Little chance of that.
I know what a hacker is, but what is a "cacker" or a "racker"?
(simple regular expression bugs in article titles explain a lot about why Slash is the way it is)
Josh Woodward
OK M$ bashies, enough. One word, "bugtraq."
The issue here is really interesting. Do you think that by patching systems, and by going through security testing, the premiums for this type of insurance will go down? How do you determine a financial settlement (Kevin Mittnick allegedly cost several companies billions of dollars in damage, blah blah blah)? Will this make security teams wealthy and sysadmins better?
Furthermore, the article says that this type of insurance has been around for 3 years now, but I didn't get a hit when I typed in "network risk insurance" into Google...who is providing this?
Sounds like a scam I'd like to be a part of...
man rtfm
well.. duh... someone has to pay the claims
If MS offers huge discounts for windows insurance, then the would loose GOBS of money when it comes time to pay out those insurance claims. I'm guessing the profit margin on insurance generally isn't as big as it is on software! They would essentially have to pay for their own bugs.
The article title reads [H|Cr]acker Insurance
This regex works but I don't think it works for the reasons that the author intended. For example,
The [H|Cr] is a character class matching the single character H, C, r or |.
So this regex will match Hacker Insurance, and Cracker Insurance (bolding indicates what part of the word matches)... it will also match |acker Insurance
I wouldn't normally be so anal but the title involves hackers/crackers... you'd think you'd get the logic right, no?
I would humbly suggest the regex (H|Cr)acker Insurance
If the author was intending some weird regex syntax where [] indicates something other than a character class then I apologize in advance,
ID-10-T is a way of life
SANS Institute lists those providing such insurance, so you could contact the companies directly, but one arrangement with Lloyd's of London makes it cheaper for Counterpane Security customers, see link at the bottom. Here's the Sans info:
p
8 YsCgcC: practice.findlaw.com/k er+insurance%22&hl=en&i e=UTF-8
http://www.sans.org/rr/casestudies/insurance.ph
Who Provides Hacker's
Insurance
Providing insurance for cyber loss is a new industry. Most insurance
carriers do not have the necessary expertise or tools to adequately
assess the needed coverage. As a result, there are currently only a few
companies offering hacker's insurance. However, with the financial
losses continuing to escalate, the demand for this protection will also
increase.
Lloyd's of London has created an insurance product that incorporates
elements of crime coverage and property coverage, addressing specific
exposures faced in our computer age.
The product, Computer Information & Data Security Insurance (CIDSI),
combines theft and malicious damage protection coupled with business
interruption coverage. CIDSI further provides expert computer security
surveying and loss control services to mitigate exposures and losses.
The product is a comprehensive program that can help address significant
exposures.
Other vendors of computer crime insurance include:
* Internet Security Systems (www.iss.net)
* Counterpane
(www.counterpane.com)
* J.S. Wurzler Website Insurance & Security
(www.jswum.com)
* Axent Technologies (www.axent.com)
* Insuretrust.com
LLC (www.insuretrust.com)
* Ace Ltd. (www.acelimited.com)
Cost
Liability is still difficult to calculate. An example of one method for
calculations is to average a Web site's revenue over several months and
divide for an estimate of the hourly cost of downtime. However, this
calculation doesn't consider account traffic and potential customers
lost as the result of service interruption.
Insurers typically determine policy costs according to the company's
size, the volume of business a company conducts on the Web, and the
effectiveness of company's security policy. Some insurers offer a
discount if you have an affiliation with certified information security
experts.
Policies can carry premiums starting at $7,000 all the way to $3 million
dollars. Lloyd's of London has recently announced a policy to cover up
to $100 million dollars but the price of the premium has to be
negotiated specifically with Lloyd's.
What to look for in a policy is addressed here:
http://216.239.53.100/search?q=cache:nLr6A
worldbeat-1202.html+%22hac
Counterpane customers can get it cheaper through an arrangement with Lloyd's of
London because they are their customers:
http://www.counterpane.com/pr-lloydsqa.html