Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cyber Insurance Between the Lines

Posted by timothy on from the door-hit-rear-on-way-out dept.

Shackleford writes "Security Focus has an article that discusses insurance policies regarding 'computer attacks and cyber sabotage.' It discusses a case in which an administrator who set up back doors in the system with which he was trusted deleted files to which he could access after he was fired. His company had insurance against dishonest acts by employees, but not against 'acts of destruction.' Eventaully, the company won, but the case went to litigation. So the lesson to be learned here is that your company may have 'cyber insurance' without knowing it, but you need to be sure about it."

7 of 89 comments (clear)

  1. No wonder insurance is so expensive. by Sheetrock · · Score: 3, Insightful
    I don't know how much hand-holding people need, but this kind of thing goes a bit far. If you've got a troublesome ex-employee, I'd think they should be able to handle something like this with a civil suit. Instead, it's pulled out of insurance, which drives up all our premiums.

    Fantastic. And with litigation costs to boot.

    --

    Try not. Do or do not, there is no try.
    -- Dr. Spock, stardate 2822-3.




    1. Re:No wonder insurance is so expensive. by mlyle · · Score: 3, Insightful

      Assuming the ex-employee has the resources to pay damages, and that you can collect them.

      Insurance companies in most contracts are allowed to subrogate; that is, when they pay damages to you, they inherit all of your rights regarding that claim-- and can choose to go and sue the employee themselves if they think it's worthwhile.

      This is what insurance is for, really.

  2. dishonest acts by employees? by mr_zorg · · Score: 2, Insightful

    I'm sure this is an over simplification, but if the insurance was for dishonest acts by employees, how could the company win? This act was comitted by someone who was no longer an employee...

    1. Re:dishonest acts by employees? by The+Jonas · · Score: 3, Insightful

      IANAL, however I think the case may have been won by the fact that the "backdoors" were put in place while the offender was employed with the company. Therefore, they might have been able to prove malicious intent or something like that.

  3. Re:Do Admins leave Backdoors a lot? by Jetson · · Score: 4, Insightful

    If you have the ability to add a back-door you will also (in most cases) have the ability to recover from a lost password without *needing* a back door.

  4. Insurance... by NickisGod.com · · Score: 4, Insightful

    Insurance is one of the biggest vains the U.S. is facing today. You name it, car insurance, workman's comp, homeowners, cyber, etc.

    Beside's it being legalized gambling, whenever something does happen, these companies try to get out of paying and point fingers at fraud.

    There has to be a better way.

    P.S. Is it this bad in other parts of the world, or are there "better systems" in place?

  5. It's the insurance company's fault by Proaxiom · · Score: 2, Insightful
    They should have better worded the policy.

    I wouldn't be surprised if this kind of thing happens a lot over the next little while, until insurance companies (and in particular, the actuaries) can get their heads around the liability associated with network security.

    As a developer in the security industry, I look on this as great news. I've been saying for a long time that what data security companies really need is for the insurance companies to start tying premiums to security infrastructure. When that happens there will be a clear ROI on security investment, and companies will learn quickly how to cover their asses better from these kinds of vulnerabilities.

    Situations like this motivate the insurance companies to start assessing risk, and when they start assessing risk they start charging their customers for it, and when the customers are getting charged for it they start mitigating that risk. Right now, that just isn't happening.