Firewall Wizards mailing list archives
Re: Lloyds to offer hacker insurance
From: "Marcus J. Ranum" <mjr () nfr net>
Date: Mon, 27 Apr 1998 09:35:45 -0400
Adam Shostack wrote:
I'm very curious as to what people think of the idea of insurance for infosec failures. Will it encourage standards of due dilligence and due care for the industry, the way bank insurance has driven bank safes to be stronger and stronger?
I'm sure that it will, so it's a good thing. Presumably the insurance premium will be somehow tied to whether or not you observe due diligence at varying levels. I expect they tie it to some kind of review of existing practices -- much like when you get a million dollar life insurance policy in the US: they draw blood, do an EKG, and urinalysis. Very different from getting a $50,000 life insurance policy. You'll note the quote in the article from the guy from Asset Management Solutions, Inc, which helps with the assessments. About a year ago NCSA (now ICSA) did a similar deal where you could get web site insurance through Prudential, if you first passed their test. I suspect a lot of this is really a game to sell a high-priced ISS scan, which probably costs more than the insurance policy. Of course, as the CEO of a company that makes the Internet's most butt-kicking network event recorder, I'm thrilled to death to see this kind of thing, because it'll make NFR money. :) One of the things that's got to come up if anyone ever tries to lodge a claim, is proving that the damage was covered by the insurance! Let's say you have "firewall insurance" --- OOOPS you gotta be able to prove they broke in through the firewall, not the dialin server, because you don't have "modem pool insurance" And was that attack really covered by "firewall insurance"? It might have been an attack applet not covered because you didn't pay for the "java insurance" rider policy. Etc, etc. There's infinite room here for finger pointing. It's going to drive a whole new market for event recording, if it takes off. My guess is that "security insurance" isn't going to take off in a big way. Companies are already sensitive about spending $$ to do security in the first place -- why would they spend $$$$ to avoid it? mjr. -- Marcus J. Ranum, CEO, Network Flight Recorder, Inc. work - http://www.nfr.net home - http://www.clark.net/pub/mjr
Current thread:
- Lloyds to offer hacker insurance Adam Shostack (Apr 27)
- Re: Lloyds to offer hacker insurance Marcus J. Ranum (Apr 27)
- Re: Lloyds to offer hacker insurance Paul D. Robertson (Apr 27)
- Re: Lloyds to offer hacker insurance David Lang (Apr 28)
- RE: Lloyds to offer hacker insurance Kevin Tyrrell (Apr 29)
- RE: Lloyds to offer hacker insurance Randy Taylor (Apr 29)
- Re: Lloyds to offer hacker insurance Joseph S. D. Yao (Apr 28)
- Re: Lloyds to offer hacker insurance Marcus J. Ranum (Apr 27)
- <Possible follow-ups>
- Re: Lloyds to offer hacker insurance Steve Bellovin (Apr 29)
- RE: Lloyds to offer hacker insurance Todd Radermacher (Apr 29)