Firewall Wizards mailing list archives
RE: Lloyds to offer hacker insurance
From: "Kevin Tyrrell" <tyrrell () foremost com>
Date: Wed, 29 Apr 1998 10:36:25 -0400
From our perspective writing a policy is akin to legalized gambling. We
accept your premiums and bet we can invest it and get a return on it before we have to pay it back as a claim. We have been insuring mobile homes, RVs and travel trailers for the last 45 years. In that time we've gotten to know these products really well. We insure against the usual things - fire, theft, natural causes (tornadoes, hurricanes, floods, lightning, etc). We have a pretty good idea of what to expect in terms of exposures from this stuff. We can calculate our odds pretty well since the exposures are pretty well known. So Lloyds brings in some "experts" to review our security policy, inspect our network, review our user training, interrogate all the users to make sure they're honest, bla, bla, bla and they certify us as insurable (secure). We're all set, we can go back to sleep now. The next month we have hurricanes in Florida, floods in CA, tornadoes in Indiana. Someone decides to have some fun and pushes through a hole in the new firewall system we just installed. This brings our network down so we can't process claims. After a day or two we'll be history. So Lloyds pays us a million $$, just enough to pay for gracefully closing the doors. Or say Lloyds insures a lot of companies who use version X.0 of OS YYY as the basis for their firewall system. Of course they're all insurable (secure), since they've been certified by the "experts". So what happens to Lloyds when the next killer 'sploit is used on the majority of these systems all at once. I don't see how Lloyds can calculate the odds of loss from an exposure they don't even know exists. At least we're pretty sure we won't see a bunch of mobile homes destroyed by volcanoes erupting in Tampa. We are in the midst of installing a firewall and a direct Internet connection. We have researched firewall systems very carefully for about a year. We have put an enterprise wide security policy in place. We're removing the back doors. We have started a security awareness program. We also feed and house some of the "experts" every now and then. These types of actions are what make up our insurance policy. Buying insurance against "hackers" might actually make some companies less secure. They have been certified as insurable (secure), so they can put security on the back burner until its time for next year's checkup, then they get whacked. But hey, they got insurance. Kevin Tyrrell Foremost Insurance Co. Disclaimer: These opiini^H^H damn! ^H^H ^Q ^[ .... :w :q :wq :wq! ^d ^X ^? exit X Q ^C ^? :quitbye Ctrl-Alt-Del ~~q :~q logout save/quit :!QUIT ^[zz ^[ZZZZZZ ^vi man vi ^@ ^L ^[c ^# ^E ^X ^I ^T ? help helpquit ^D ^d !! man help ^C ^c:e! help exit ?Quit ?q Ctrl-Shft-Del "Hey, what does Stop L1A d..." -----Original Message----- From: owner-firewall-wizards () nfr net [mailto:owner-firewall-wizards () nfr net]On Behalf Of David Lang Sent: Tuesday, April 28, 1998 9:52 am To: Marcus J. Ranum Cc: Firewall Wizards List Subject: Re: Lloyds to offer hacker insurance -----BEGIN PGP SIGNED MESSAGE----- Remember what insurance boils down to, a gamble ... snip ...
Current thread:
- Lloyds to offer hacker insurance Adam Shostack (Apr 27)
- Re: Lloyds to offer hacker insurance Marcus J. Ranum (Apr 27)
- Re: Lloyds to offer hacker insurance Paul D. Robertson (Apr 27)
- Re: Lloyds to offer hacker insurance David Lang (Apr 28)
- RE: Lloyds to offer hacker insurance Kevin Tyrrell (Apr 29)
- RE: Lloyds to offer hacker insurance Randy Taylor (Apr 29)
- Re: Lloyds to offer hacker insurance Joseph S. D. Yao (Apr 28)
- Re: Lloyds to offer hacker insurance Marcus J. Ranum (Apr 27)
- <Possible follow-ups>
- Re: Lloyds to offer hacker insurance Steve Bellovin (Apr 29)
- RE: Lloyds to offer hacker insurance Todd Radermacher (Apr 29)