Hacking Insurance For Net Businesses

Spasemunki writes: "ZDNet is carrying a story today on the new partnership between Lloyd's of London and Counterpane to offer 'hacking insurance' to businesses with big, expensive net presence. Is this a good-for-business acknowledgement that even the best security framework has flaws, or companies stepping back from protecting their customers in favor of covering themselves? According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk." Of course, I'd rather have cracker insurance.

Re:This is no protection

> The best and most innocuous way a system is
> penetrated and compromised is not from
> remote exploits, but from the inside. The
> careless SysAdmin who leaves a root console
> open; the stupid employee who writes his
> password on postit notes next to the monitor;
> the disguntled and angry employee that did
> not get the raise he thinks he deserved.

How would insurance companies handle a more meatspace version of those kinds of problems? A clueless employee or security guard forgetting to lock the doors after closing? Would the insurance companies just consider that 'self-inflicted' and leave them to handle it themselves?

Myself, I'd be more interested in finding a concrete way to determine how much a company loses in an attack. Preferably in real money. Anyone can get their web page cracked and replaced for 4 hours and claim they lost three percent of Japan's net worth as a result. In fact, 'anyone' seems to - even the slightest compromise claims to have millions or tens of millions of dollars in damage.

Just how can they prove that they lost, say, $6M on a thirty-minute DDoS smackdown or something? Exactly what company earns a quarter billion dollars a day anyway?

-Patrick Stewart

I think that this is going to be well-used

Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.

Reading sites like CERT, l0pht and rootshell (And hoist a beer to the now-seemingly-defunct 8lgm) is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.

At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.

That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.

All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation. Lazy bastards.

Cracker Insurance?

Why would you NEED insurance for crakers? All the boxes of crackers I buy have a 'money back if not satisified' label. And, if the saltines aren't right, I just throw them out.

Seems like a waste to buy cracker insurance.

As for hacker insurance, I guess there ARE risks with using chairs made with axes. You would think tho, if you LIKE axe-made chairs, you'd inspect the craftmanship before you bought it.

Their marketing

'For the right price, my boys could offer you "protection", because we wouldn't want to see what happened to you if you didn't buy our "protection." hehehehe.'

Re:Symantics

The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions? That's what'll end up in front of a judge eventually, unless the contract is exceedingly well written.

Also, don't just go assuming that it's always insurance companies who are the rip off artists. In both consumer and commercial insurance, there are many more instances of fraud and legalistic shenanigans by the people covered than by insurers.

Case in point: my brother in law works for the firm that insures Microsoft (Zurich Intl.). Among other things, they cover them with a standard indemnification plan - a.k.a if Microsoft is sued in civil court, the Zurich is responsible for both the defense and the damaages (if any). Just like with many automobile plans, it is the insurance company's lawyers who defend the case, which is only fair since they are the ones on the hook for the monetary loss. Insurers will often settle cases their clients would have fought, because they have less of an emotional attachment to the idea of being proven right in court.

Microsoft is now suing Zurich because they want to be reimbursed for all the attorney's fees they've spent in defending themselves in the anti-trust lawsuit. Microsoft is trying to twist a clearly written indeminfication plan into a blank check for all their exceedingly high-priced lawyer's fees, while giving Zurich no say in how the defense is actually presented.

Needless to say, Zurich is defending itself.

What will be interesting...

Is to see how the claims get handled. If basic security proceedures were not followed (patches, closing off extraneous ports, etc) will the claim be paid? If they are paid, it will set a bad precendent, and give companies an excuse to maintain poor security, hire less qualified admins, and just file claims when bad stuff happens.

If they DO deny claims based on lack of basic preparedness, it could benefit the overall community by making it worth the company's pocketbook to make sure their admins are well trained, and have the equipment and software they need. Lawyers LOVE it when companies have insurance policies - it means larger settlements for them.

and

If you act now, you can get a 25% discount on Alien abduction insurance too!

Same as every business...

Why is this news ? Surely this is exactly the same as insuring a standard company against burglary ?

Its just another case where everyone is suprised because the eWorld is the same as the normal world.

To use the real world, basic security is important, but investment in a patrolled compound to protect a pizza parlour is excessive, while spending $100 on insurance per year makes pretty good sense.

There is no "e" or "v" world, there is this world.

Symantics

I just can't wait for the first claim to come in:

Business: Look! We were attacked by hackers and lost X millions of dollars, call the insurance company!

Insurance Company: We're sorry, but you were attacked by CRACKERS, not Hackers, and you only purchased the Hacker insurance. It's an extra 50K a year for the Cracker insurance. Sorry. (Evil cackle)

Kintanon

Stupidity in action

A fool and his money are easily parted...

Hey, if someone's willing to buy hacking insurance instead of securing their systems, then they deserve to make these insurance companies rich.

What I wonder is, when one of these companies gets cracked, will the insurance provider pay off if it was due to negligence? I mean, most insurances only apply to accidents. If I buy flood insurance for my home, and I leave all the windows and doors open during a flood/hurricane, I can't make a claim. I don't believe drunk drivers can collect from claims on their auto policy either. Same with this situation--what insurance provider will pay up if you leave your box sitting totally unsecured on the Internet?

Re:Same as every business...

Probably because of the wild difference in assessibility of risk.

You can fairly easily get a good idea of how secure a physical site is. Check the locks, the alarm systems, review the security staff and their training, etc etc etc.

But for a moving target like infosec, I can't see how they can determine a risk assessment, unless they're not even bothering to and just using actuarial tables.

Given the generally paranoid and overly cautious attitudes of insurance companies, I'd say a change like this does signify news.

Putting a $$ figure on damage

I would like to see how they will value the damage. It seems to me that every time there is a cracked machine on the web the damage bill seems to run into millions.

For example while the "I love you" virus pissed alot of people off and caused more then a few email servers to crawl to a holt, I think the estimate of 5 Billion dollars of damage was a little overstated.

After all how do you factor in Brand name damage, future loss revenue from deterred surfers and knock on advertising revenue effects when assessing a claim. No doubt most companies will pick a random figure and multiply it by 10.

I will be interested to read about the first claim.

Don't laugh

Don't laugh. The British firm Goodfellow Rebecca Ingrams Pearson actually offered a policy against Alien impregnation [google.com].

Sadly, they discontinued [knotwork.com] the service in the wake of the Heavens Gate cult suicide. Insane people are just too likely to make claims against the policy.

Hacking insurance!

Here at XYZ Insurance Corporation, we're proud to announce our new Hacking Insurance - protecting your business interests against hackers!

Hackers have been known to attempt to undermine your business interests with subversive activities like replacing IIS [microsoft.com] with Apache [apache.org], and porting your product to Linux [linux.org]. Here's what we offer for protection:

• Instant Apache uninstall - we keep secured backup tapes that let you go back to your secure, responsive IIS environment instantly!
• Linux replacement - with proprietary tools [insecure.org] we can search out Linux computers connected to your network and replace them with secured NT workstations!
• Source code security - we offer to help you write Windows-specific code so your developers can never switch to Linux if their hacker instincts flair up! As you can see, hacker insurance has many benifits. Protect your business investments today!

Maybe some good will come of this...

Maybe these companies will be forced to actually provide some evidence when they claim "we lost $42 million dollars when our web site got cracked." I don't think the insurance company is just got say "sure, $42 million, here ya go!"
---