Slashdot Mirror

← Back to Stories (view on slashdot.org)

[H|Cr]acker Insurance

Posted by ryuzaki0 on from the thats-a-lotta-insurance dept.

Spellbinder writes "yahoo has an article on Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."

12 of 175 comments (clear)

  1. Wow by Anonymous Coward · · Score: 5, Insightful

    If they'll pay that much for insurance, I wonder how much they'd pay for a SysAdmin that secures things properly.

    1. Re:Wow by error0x100 · · Score: 5, Insightful

      When a company buys insurance they are 100% guarenteed to recover losses from a crack.

      When a company spends that money on an admin, the chance for being broken into goes down, but will never be 0%

      Taking out h/crack insurance, then, lowers the incentive for additionally investing in proper network security (e.g. a decent sysadmin). The companies, if the insurance leaves them feeling "financially safe" from an attack, will be even less inclined than they are now to implement proper security. In "normal" insurance, this sort of thing amounts to negligent/deliberate behaviour that in some cases will make the insurer decide not to pay. If enough people leave their networks vulnerable, and the insurers are struggling to stay afloat as a result, then they are going to start getting more strict about the conditions of the insurance vs premiums (as happens in auto insurance, more security features on a car imply general lower risk and thus lower premiums). I don't see why it should be any different here. If companies are making almost no effort whatsoever to secure their networks (as many companies do now), then the insurer either should refuse to cover them, or they should have to pay much larger premiums. (Although then it starts to look like the old "then whats the point of insurance" argument; disability insurance providers in my country routinely refuse to even consider covering people with a medical past that includes things like even very minor back problems. In other words, they will only cover people who do not represent much of a risk at all). However, in the case of 'network insurance', its deliberately irresponsible behaviour that places one in a high risk group (e.g. like smoking).

  2. But how would they cover the debt.... by Anonymous Coward · · Score: 5, Interesting

    if everyones site went down - as it almost did with the latestVuln in MSSQL - how would anyone ever cover the losses?

    fp

    1. Re:But how would they cover the debt.... by PhxBlue · · Score: 5, Insightful

      Better yet, how do you even determine the losses? The only science I've seen of it to date is: Company A says, "We lost $x amount when we lost our connection for 2 hours because of this attack," with nothing to back up the dollar figure.

      This insurance idea could be a good one, simply because it might force businesses to justify their losses when network attacks occur. I'm not going to hold my breath, though.

      --
      !#@%*)anks for hanging up the phone, dear.
  3. Product liability instead by azoidx · · Score: 5, Insightful

    what about product liability? automakers, drug manufacturers and every other manufacturer is liable for their products in some way. How come software companies are exempt from this?

    1. Re:Product liability instead by Anonymous Coward · · Score: 5, Insightful

      How come software companies are exempt from this?

      Because you clicked "Yes, I agree".

  4. duh! by MissMyNewton · · Score: 5, Insightful

    the *best* insurance is a competent admin...

    nothing else will do!

    --

    ---

    Information wants...you to shut your pie hole.

  5. Hacker vs. Cracker by GuyMannDude · · Score: 5, Insightful

    I can see it now: company tries to claim a loss due to having their network compromised.

    Insurer: I'm sorry but we have rejected your claim.

    Insured: What the hell do you mean? This is why we bought hacker insurance!!

    Insurer: Yes, but you bought "hacker" insurance. If you wanted to be reimbursed for a loss like this, you should have bought our "cracker" insurance! But you're in luck! We've got a special offer now! If you buy cracker insurance and already have purchased hacker insurance from us, you will save 10%! I guess today is your lucky day after all!

    Insured: You insurance companies are vultures! Profiting off our loss! Well, okay, I don't want to think any more about it. Just sell me whatever insurance you think is best for me.

    Insurer: Just what I was hoping you'd say! Sign here, here, and here, please! No, don't bother reading that. It's just a bunch of legal jargon...

    GMD

    --
    watch this
  6. Do they cover your bandwidth bill too? by Stephenmg · · Score: 5, Interesting

    Do they cover your bandwidth bill when some random infected virus sends packets to your secured site even if you dont get infected?

  7. An analogy by thesilverbail · · Score: 5, Funny

    Thats like the story of NASA inventing this hyper-super-duper centrifugally balanced gravity boosting ballpoint pen for their astronauts and the Soviets bringing along a pencil.

    --
    I have found a truly wonderful proof of Fermat's Last Theorem, but unfortunately this sig is too small to contain it.
  8. Not a bad idea by Anonymous Coward · · Score: 5, Interesting

    Car insurance is cheaper if you have an ignition disabler, and other anti-theft features.

    If companies actually buy cracking insurance, they will want to get it at a low price.

    The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.

    How high are the premiums on MS SQL 2000?

    You could clearly point to the insurance premiums and show how much bad security is costing the company.

  9. Might actually help by AppHack · · Score: 5, Insightful

    The interesting thing is that if companies followed the requirements of the insurance company to get the hacker insurance, their security would improve tremendously. Many companies don't even perform the simple tasks the insurance companies will require. That alone would help tremendously.

    Ironically, if more companies would conduct assessments, patch vulnerable systems, setup security policies, etc. the demand for this type of insurance might actually diminish. Little chance of that. :-)