Hacking Insurance For Net Businesses 117
Spasemunki writes: "ZDNet is carrying a story today on the new partnership between Lloyd's of London and Counterpane to offer 'hacking insurance' to businesses with big, expensive net presence. Is this a good-for-business acknowledgement that even the best security framework has flaws, or companies stepping back from protecting their customers in favor of covering themselves? According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk." Of course, I'd rather have cracker insurance.
Re:This is no protection (Score:3)
> penetrated and compromised is not from
> remote exploits, but from the inside. The
> careless SysAdmin who leaves a root console
> open; the stupid employee who writes his
> password on postit notes next to the monitor;
> the disguntled and angry employee that did
> not get the raise he thinks he deserved.
How would insurance companies handle a more meatspace version of those kinds of problems? A clueless employee or security guard forgetting to lock the doors after closing? Would the insurance companies just consider that 'self-inflicted' and leave them to handle it themselves?
Myself, I'd be more interested in finding a concrete way to determine how much a company loses in an attack. Preferably in real money. Anyone can get their web page cracked and replaced for 4 hours and claim they lost three percent of Japan's net worth as a result. In fact, 'anyone' seems to - even the slightest compromise claims to have millions or tens of millions of dollars in damage.
Just how can they prove that they lost, say, $6M on a thirty-minute DDoS smackdown or something? Exactly what company earns a quarter billion dollars a day anyway?
-Patrick Stewart
Right.... (Score:1)
--
Re:I want more details... (Score:2)
Wouldn't it be more of a process audit? Things like:
Re:How This HAS To Work (Score:2)
My only concern is in making sure that the little guy, who actually puts a significant amount of effort into properly securing their services, gets a fair rate for eye-candy "reassurance" insurance.
Just one question... (Score:1)
if ($user =~ m/shaldannon/i) {
print "\n-- $user
}
Out of Curiosity? (Score:1)
NO NO NO NO!!!! (Score:1)
Thieves, extortionest, criminals, ect ect!!!!
My is now vent complete.
Re:Putting a $$ figure on damage (Score:2)
But is there a right way to calculate damages resulting from data theft? I mean, sure, there are certain things that are (relatively) easily calculated business lost during the time it took to fix a system, being the best example, but if someone hacked Adobe and "stole" an alpha version of the latest PhotoShop, what's the damage? Adobe still owns the version, so they haven't LOST anything... Bandwith loss is extremely negligable. However, in that case it merely isn't right to charge something like $25 in damages.
Or is it?Re:Right.... (Score:1)
what do expect (Score:1)
Ding! We have a winner... (Score:2)
That was my first thought exactly.
The problem here is that definitions and verifications of those definitions is really touchy stuff. It's going to be for quite some time.
This is a needed thing, I believe... but it's also much too slippery a slope. There are too many 'wellll... maybe' issues.
Re:Funny Stuff (Score:1)
Re:Hacking insurance? (Score:1)
Well, if the intruder destroyed the systems after stealing the info, the backup tape would let you know what info was stolen, so you could go and notify the CC companies and let them know what numbers were stolen, etc. This might save you from a lawsuit, because it shows that you took steps to mitigate the damage. (At least, I hope it would, but that murky world of lawyers scares the hell out of me
Re:Semantics (Score:1)
So:
hackers == happy men
crackers == homosexuals
ah... I think I've got it. another group emerges and takes control of the word (although certainly not in an organized fashion). The crackers (homosexuals) emerge and take the word hacker (gay). So a real hacker (happy guy) could be understandably upset by the meaning shift of this word as.
Okay... I get it.
A hacker is more of a word you use to define yourself as though. No one really 'had' the word gay before it was used for the homosexuals.
*shrug*
Also, I think 'gay' has more of an accepted popular definition than 'hacker'. I could just be naive though.
The happy guy in my opinion has a right to be a little miffed, but he's much less likely to be.
A step closer to what network security should be. (Score:2)
Some of you may have experiences of getting advice from those so call risk management consultants of e-business from those large consultanting firms which actually are selling you M$ solutions, I think insurance on network security is a more pratical way. To know how good your measures of network security is, ask the insurance companies to give you assessment.
Cracker insurance? (Score:1)
Hey... this puts a new spin on the name of Premium(tm) brand saltines!
Is eBusiness any different? (Score:1)
Good Idea, and it's Not "Hacker" or "Cracker" (Score:1)
As for insuring a company against theft and vandalism, the first step is to get the best lock system and security your money can afford, and maybe a little insurance on the side. Especially if you're a target, their's no substitute for properly safeguarding your site.
A better solution is to charge for insurance based on how easily broken into a 'puter may be. Once the company's can get a dollar amount they could save through proper security, their WILL be a stampede to set up better protection.
I think that this is going to be well-used (Score:4)
Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.
Reading sites like CERT, l0pht and rootshell (And hoist a beer to the now-seemingly-defunct 8lgm) is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.
At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.
That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.
All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation. Lazy bastards.
Re: (Score:1)
Cracker Insurance? (Score:3)
Seems like a waste to buy cracker insurance.
As for hacker insurance, I guess there ARE risks with using chairs made with axes. You would think tho, if you LIKE axe-made chairs, you'd inspect the craftmanship before you bought it.
Re:Funny Stuff (Score:1)
"Bruce Schneier" (Score:1)
Their marketing (Score:4)
crackers and cheese please (Score:1)
"Of course, I'd rather have cracker insurance." -- emmett, esq
Methinks emmett doesn't know the difference between one who loves to learn about computers (hackers) and one who loves to learn about computers (crackers). Hmm... one would also deduce that he hasn't quite yet figured out the definition of a Skr1pt K1dd13.
2600: The Hacker Quarterly
Phrack (Phreak + Hack)
I rest my case. Nutty emmett.
This is the ONLY protection (Score:2)
Importantly, thoght, what's the mantra of the security aware? No system is secure. OK, a system filled with concrete unplugged at the bottom of the ocean comes close. But, there will always be a new vulnerability, an insider bribed, a way in. Always. Insurance is really the only solution for businesses in this area, much like, as other posters have realized, the niches where insurance is popularized in the real world.
In an uncertain world, insurance becomes needed. The wonderful and insidious thing about this, however, is that you know what the trend of insured internet businesses will drive? security! You want a good rate on our security insurance? Better freakin' install the latest patches, have a subscription to Security Focus, get a good firewall, implement access policies, do background checks, shred your paper trash...
This will be a fantastic wave of actual implemented security.
what we might see (Score:1)
Re:Yet Another Bad Idea(TM) (Score:1)
Risk Management is a lot more sophisticated than this. A Risk Manager would consider the cost of new construction vs. the cost of insurance vs. the potential loss and the probabilities of that loss.
The insurance discussed in this article is not for the little guy. The little guy also dosn't have a potential loss measured in the $millions/day of lost sales.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Not to be redundant... (Score:2)
It's not like they're insuring solely (if at all) the security of your own systems, but they are offering a source of aid assuming that you fall prey to a business-impacting loss if internet service in one way or another. It's also not like the system won't be defrauded at all, mind you, but then again all insurance systems have been and are being defrauded on some level. These people are either caught or not, and it won't be any more difficult in this setting.
One more thing that hasn't been mentioned in any significant amount yet is the fact that a large number of business have not been significatnly impacted by h/crackers. Many of these would still pay a fair amount for a secure feeling - which, more than anything else, the insurance business is there to provide. I personally would probably pay for this, not because I can't secure a system a fair amount, and not because I think that evil computer geniuses really want to take down my t-shirt shop, but because of self-same "warm fuzzy feeling".
Counterpane and its CTO (Score:1)
Bruce Schneier is one of the most respected cryptography experts in the world. If you are at interested in code-making and code-braking you probably read his book, "Applied Cryptography" .
Bruce also projected the Solitaire algorithm used in the "Cryptonomicon", and Counterpane newsletter is a required reading for anyone interested in the field.
So, this probably is not another meaningless partnership to extract some money for nothing from scared Fortune-1000 CEOs.
Re:Fraud... (Score:1)
Re:Symantics (Score:1)
In future, please call us by the term we would prefer to have applied to us: "Redneck Peckerwoods".
Lloyd's of London...big liability themselves (Score:2)
Re:NO NO NO NO!!!! (Score:1)
Re:I want more details... (Score:2)
Preying on public paranoia (Score:2)
"Remember: Robots ARE out to get you," etc.
Is this policy REALLY necessary, or is this the insurance equivalent of yellow journalism?Re:Symantics (Score:3)
The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions? That's what'll end up in front of a judge eventually, unless the contract is exceedingly well written.
Also, don't just go assuming that it's always insurance companies who are the rip off artists. In both consumer and commercial insurance, there are many more instances of fraud and legalistic shenanigans by the people covered than by insurers.
Case in point: my brother in law works for the firm that insures Microsoft (Zurich Intl.). Among other things, they cover them with a standard indemnification plan - a.k.a if Microsoft is sued in civil court, the Zurich is responsible for both the defense and the damaages (if any). Just like with many automobile plans, it is the insurance company's lawyers who defend the case, which is only fair since they are the ones on the hook for the monetary loss. Insurers will often settle cases their clients would have fought, because they have less of an emotional attachment to the idea of being proven right in court.
Microsoft is now suing Zurich because they want to be reimbursed for all the attorney's fees they've spent in defending themselves in the anti-trust lawsuit. Microsoft is trying to twist a clearly written indeminfication plan into a blank check for all their exceedingly high-priced lawyer's fees, while giving Zurich no say in how the defense is actually presented.
Needless to say, Zurich is defending itself.
Re:How This HAS To Work (Score:2)
This insurance has been available for several years, usually tacked onto an existing data center loss prevention policy. This is a press release to show how our beloved Bruce Schneier has become a partner with a big insurance house.
The insurance company will require at least two audits, the first to determine the policies and attitudes of the management, and to locate holes in enforcement of a good security policy. After the fixes have been made, the second audit will show whether the management can accomodate the change necessary to implement a proper security policy. Its more about attitude than open ports
There are several parts to the audit. The hack/crack part does all the usual stuff, such as wardialing the whole company looking for unauthorised modems, running customised exploit scripts and custom versions of ISS and nmap. They also make sure every system connected to the network is documented, and they log on every server and check the security from inside as well.
There's a bunch of naff stuff going on at the same time like policy audits and background checks on all the IT staff and secretaries. In the end there is a big report, and based on a security score, determines your policy rate.
The policy holder sometimes puts a security consultant on the site for a while, to monitor the state of the network and how well the IT idiots follow the required security policy.
The whole exercise is to raise the bar against script k1dd13s, and give the shareholders a warm and fuzzy feeling. It also gives the lawyers a defence if a cracker does damage and the company gets sued.
What counterpane is probably doing is either renting out some tiger teams or training up some in-house teams to use their custom made tools.
the AC
ramen (Score:1)
So here I am; The highpoint of my day.
Lunch-time.
No longer am I content with such concepts as female companionship, wealth or pleasure; I find all that I need in Ramen.
The ceremony commences. I enter the break-room. A medley of microfiche machines contrast the smooth curve of coffee pots filled with steaming liquid. I turn, facing the altar. I bow to my god Maruchan, the smiley face god, for he brings me ramen in such a pure form.
Cuidado: Caliente! screams out the sacred Japanese vessel in Spanish. I extend my hands, never taking, only receiving. Maruchan smiles upon me as he bestows the vessel upon me. I find it strangely cool. The delightful feel of a smooth woman's skin on my flesh. My Ramen.
I approach the fiery cauldron of water. Pure springs splash down into the pot, warming and bubbling. Steaming with cleanliness. My Ramen meets the water in a joyous union.
Maruchan smiles in heaven.
Re:Putting a $$ figure on damage (Score:1)
Colin Winters
Cracker Insurance (Score:1)
---
good news for secure systems like BSD and Linux (Score:2)
The nice thing is that, since money is on the line, the insurance company has a huge incentive to be objective and honest about what really works to prevent "hacking." My guess it that obscurity-based systems don't get rated as high as a Volvo
What will be interesting... (Score:5)
If they DO deny claims based on lack of basic preparedness, it could benefit the overall community by making it worth the company's pocketbook to make sure their admins are well trained, and have the equipment and software they need. Lawyers LOVE it when companies have insurance policies - it means larger settlements for them.
and (Score:3)
insuretrust (Score:1)
Funny Stuff (Score:1)
How This HAS To Work (Score:2)
For some companies, this makes a lot of sense. Others take their chances. In any event, I foresee many other insurers and insurees getting in on this soon.
Damn Crackers (Score:2)
Yeah, why worry about your computers when there's a much bigger threat out there: hordes of inbred white people?
Responsible (Score:1)
After my auto insurer created an extra-high-risk category for me, I never figured I would affect the insurance industry so significantly again.
-Spazimodo
Fsck the millennium, we want it now.
Same as every business... (Score:4)
Why is this news ? Surely this is exactly the same as insuring a standard company against burglary ?
Its just another case where everyone is suprised because the eWorld is the same as the normal world.
To use the real world, basic security is important, but investment in a patrolled compound to protect a pizza parlour is excessive, while spending $100 on insurance per year makes pretty good sense.
There is no "e" or "v" world, there is this world.
Re:That is Lloyd's specialty... (Score:1)
True, but I'd suspect that for those they're treated as a one-off decision, and have correspondingly higher relative rates to compensate for the added workload.
Since I couldn't see IS Insurance being profitable that way (well, unless they just target 'the companies that matter' in the Fortune 500, to slashback to the Apache/IIS article of earlier today) I'd think it would be more based on actuarials or moderately wild assed guesses. It could very well be I'm just extrapolating too far into the mass market application of IS Insurance, rather than a new one-off that's now available.
Or maybe it's the lack of sleep. :)
Lets get serious (Score:1)
Re:Maybe some good will come of this... (Score:1)
I think a fair number of those claims (at least, in terms of virus storms like the Love Bug) aren't real damages, but lost time and wages. I don't think that insurance companies would be too likely to cover that.
I'd also love to see the requirements and riders they'd put on the policies. I can imagine that ANY publicised vulnerability being used in the attack would nullify the coverage (and it should, IMO).
Heck, this could give us an entirely new pointless benchmark for the O/S wars! "My O/S is cheaper to insure than yours!" :)
hacking and cracking (Score:1)
Re:Semantics (Score:1)
Of course. They have the Académie Française in France, to make it illegal to call a computer computeur. However, the English speaking world generally doesn't go in for such authoritarianism.
So if everyone started calling gay men 'fags' tomorrow, they'd be right?
In the end, you have to decide who owns the right to define language. The only sensible answer is those who speak it.
Re:Semantics (Score:1)
If that is how it should be then it might as well be argued that doctors should have to change their speech so it matches what the majority think doctors should say (after watching a few episodes of ER of course).
Hacking/Cracking Insurance (Score:1)
Not me. I'd rather go for Hacking insurance. I don't want no *NIX guru comming in and creatively solving my carefully crafted network problems, puttin me out of a job. Those damn hackers preventing us workin stiffs from keepin a nice little maintenance roll.
Probably good. (Score:1)
that's a whole new fraud game.... (Score:1)
title says it all - how exactly are they going to investigate fraud on this one, and just how easy will it be to fake a DoS... er, I guess it doesn't need to be faked.
This is my new business plan. If anyone has VC and would like to invest in my company, I can guarantee a $50 million ROI. :)
Symantics (Score:5)
Business: Look! We were attacked by hackers and lost X millions of dollars, call the insurance company!
Insurance Company: We're sorry, but you were attacked by CRACKERS, not Hackers, and you only purchased the Hacker insurance. It's an extra 50K a year for the Cracker insurance. Sorry. (Evil cackle)
Kintanon
Hacker Insurance? Start the Countdown! (Score:1)
Re:Fraud... (Score:2)
Insurance fraud has been around for a long time. In the US, the states have offices to handle this kind of thing and when it starts getting offered in that state then the Fraud division will hire on some computer admins to help them. They might be slow but they are rarely stupid.
Re: (Score:2)
Class-action lawsuits (Score:1)
Further, up until now many startup companies had shallow pockets, but with this kind of protection, we could see a lot of groundless litigation, and people just try to pressure these insurance companies into settling.
Stupidity in action (Score:3)
A fool and his money are easily parted...
Hey, if someone's willing to buy hacking insurance instead of securing their systems, then they deserve to make these insurance companies rich.
What I wonder is, when one of these companies gets cracked, will the insurance provider pay off if it was due to negligence? I mean, most insurances only apply to accidents. If I buy flood insurance for my home, and I leave all the windows and doors open during a flood/hurricane, I can't make a claim. I don't believe drunk drivers can collect from claims on their auto policy either. Same with this situation--what insurance provider will pay up if you leave your box sitting totally unsecured on the Internet?
Re:Wow, Cracker Insurance (Score:1)
sorry that one got me riled up.
Good for open-source (Score:2)
Insurance is a line-item in company budgets with predictable cost. Managers get bonuses for lowering predictable cost.
Working from those premises, I predict that a company with a verifiably secure Linux/BSD/$OTHER_OS_OS infrastructure will be able to negotiate a lower insurance cost than a company that says, "Microsoft insures us that this software is secure."
I further predict that direct positive impact on the bottom line will do more to push open-source solutions into business than anything else.
Keep all your benchmarks and anecdotal evidence. The insurance companies won't care. They will do the most indepth analysis you could ever imagine, because 1)the have the resources and 2)they'll have REAL money on the line. Smart money goes where the insurance companies do. (Well, at least I trust them to take care of their own money and not give a rats-ass about the OS wars.)
Different OSes (Score:1)
PLAN 1:
UNIX Servers - $50 a month
PLAN 2:
Microsoft Servers - $50,000 a month.
hrm (Score:1)
Hacking Insurance we make sure you cooler is jam packed with jolt cola and bawls to insure that your local hacker will keep on churing out tight code for hours on in.
We filter all snail mail with offers to work at bigger and better companies to insure that your hacker stays with your company.
We brutuallity kill any girlfreinds, freinds and realtives the local company hacker may have to insurnce he will spend endless hours hacking on company code, instead of wasting company time by pursing meanlingess and uncontructive things like "a life"
that cost your company a lot of time and money.
We do proactive code review to make sure you hacker isn't commenting all his code in 67AD Latin and insure any current or further hackers at your company will be able to decrypt the comments on your flagship product.
We provide a 24-7 pizza and cola hot line. Anytime your hacker gets worn down call this 800 number and within 5 minutes a emegency response team with be there with hot pizza and cold soda. This insures you hacker doesn't try and leave or wonder off company property in search of food.
Oh dammit, I got the "defination" of hacker wrong again I hate when that happens.
Hmmn (Score:1)
Hmmn, Would I rather do things with insurance which does not circumvent the problem merely patches it up (Lazy non proactive approach)
Or should I hire a few REALLY skilled security people for that much every year? And take a proactive approach and have someone to hang when the system fails. I can make a point of failure.
It all depends on how much and this is all in theory, but hmmn?
Jeremy
If you think education is expensive, try ignornace
You can insure about anything (Score:2)
Real life example:
Like it or not, a 50 year old, buying a new Porsche is far less of a risk than a 22 year old. It is not personal, it is not specific to you, it says nothing about your parents or your abilities. So guess what, you pay more at 22, than at 50.
You may not even be able to get insurance at 22 on a certain type of car, until you enter the "risk pool". This would be the same for companies as it is for 22 years driving a Porsche. I may insure you but I am not taking the major risk. (i.e. $2000 deductible, $500/month payment and penalties for failure to pay)
Now, given some company "X", operating a type of business "Y", for a period of time "Z", what is the average number of security breeches (internal and external) you can be expected to incur? What varies the result the most? What kind of loss per incident can be expected? What factors contribute to a claim (i.e. how often is notoriety a cause versus failure to update patches?)
Now like your car, you are expected to take care of it. The "blue book" here however is what a company agrees to. Amazon out of commission for 12 hours is going to be a much bigger claim than slash dot. (No offense intended).
Further, the claimant cannot facilitate the action.
Have you had a security audit in the last "X" timeframe?(security like Swiss cheese)
Did you act on its findings? (no funding for upgrades)
Are you using reasonable precautions to protect yourself, data, and business?(haven't done a backup this week)
Was this a known threat you failed to act on? (ILOVEYOU attack two weeks after it made the news)
I think it is a great idea, because those with insurance must be attentive to collect on a loss. The more attentive people are the better it is for everyone.
Schneier and Stinson (Score:1)
I think both books are worth the money. Specially now that Applieds CD can be ordered from outside USA.
Premiums (Score:1)
Company X buys hacker/cracker insurance from Company Y because they have done a risk assessment and see the need. Company Y says OK, your premium is $mumble a year, but in order to get a lower premium you will have to let us audit you. You have 6 months before the audit. Get cracking (ouch).
Six months pass and Comapny X has really humped it. Security is tight, low incidence rate and a good security policy is in place. Comapny Y comes in says "Good Job", lowers the premium based on their audit of the risk that Company X poses to their bottom line. Company Y is happy because $mumble has become smaller, helping their bottom line and makes investors happy.
A Good Thing, no?
Only problem I can see is the security hardening industry's ability to keep up and whether or not the insurance company can bring on-line a quality risk assessment team with expertise in IT security. Are those big 'ifs'?
"Hacking Insurance"?!!? (Score:1)
That is Lloyd's specialty... (Score:2)
Actualy... (Score:1)
According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk.
Will, actualy its a pretty common perspective from...ummm...security "wonk"s
Any security specialist will tell you that the only secure system is either one that isn't connected to a network of any kind or one that has the power switch in the off possision
Network security is a constent game of risk managment. The more secure you make something, the less funtional and intuitive you make it for your end user. FTP is an inherently unsecure protical, but how many customers would be ready to kill you if you were running say a web host and killed the FTP service? Same goes of services such as telnet. There are secure alternatives, but again, your alianating your customers by forcing them to use something that in there minds at least is non-standard.
So it comes down to seeking a constent balence between the services you need to provide to make a buck and the risk your willing to take onto yourself againt crackers
This is also an attitude that is common among those in e-commerce circles. Companies don't even try to prevent all credit card fraud, the only way to do that would be to not offer credit card payments at all, they just try to keep within the "acceptable limits" of risk that they have set for there company.
--
Re:Semantics (Score:2)
What about when the guy at Radio Shack tries to tell you that this computer comes with 20 gigs of memory?
How about the all too common confusion of multiple personalities disorder with skitzophrenia (sp? grr... tried looking it up.)?
So if everyone started calling gay men 'fags' tomorrow, they'd be right?
I think hackers have a perfectly valid complaint here.
Re:This is no protection (Score:1)
As far as I remember, if you leave your car doors unlocked, then it's tough noogies on the car theft insurance claim.
Probably varies from firm to firm, though.
Re:Hmmm. (Score:1)
Re:Stupidity in action (Score:1)
It goes without saying, that no respectable insurance company will pay (or even sell you a policy) without auditing and/or making sure you're up to protecting your own system by either having your own able sysadmins or contracted ones.
Just think one or two milliseconds before you call people stupid.
Roland
(and this gets an "Insightful"......)
Re:Same as every business... (Score:3)
Probably because of the wild difference in assessibility of risk.
You can fairly easily get a good idea of how secure a physical site is. Check the locks, the alarm systems, review the security staff and their training, etc etc etc.
But for a moving target like infosec, I can't see how they can determine a risk assessment, unless they're not even bothering to and just using actuarial tables.
Given the generally paranoid and overly cautious attitudes of insurance companies, I'd say a change like this does signify news.
Is Lloyd's insuring themselves too? (Score:1)
This is no protection (Score:2)
If systems were just insured from outside cracking, then it would make more sense. But the vulnerability of MOST systems is from the users, and so the problem of insurance fraud cannot be avoided. Why can't the CEO and CTO collaborate to make more money for the company? The last time I heard, no audit can discover what a bunch of powerful and willing conspirators want to hide.
Re:Symantics (Score:2)
When an insurance policy is granted, the company will have in place a well written procedure detailing exactly how each system will be fixed in case of a cracking incident. That will include an estimate of hours to reload the OS from scratch, and then recover the system configuration and data from backup tapes. The policy will specify how much will be paid for recovering a system after a crack, what the losses per hour for the loss of functionality, and whether a consultant can be paid to further secure the machine after the attack.
If a system is critical to a company's well-being, then it becomes cheaper to buy some hot standby systems ready to be switched in almost immediately. Of course, this increases the cost of a system by 4x to 10x or more. Somebody does the math, and figures out which will be cheaper, a second system, or a few hours downtime of the system.
the AC
Hacking insurance? (Score:1)
BUY A TAPE BACKUP DRIVE
Cripes.. this isn't a new problem...
And even more interesting (Score:1)
how do you (Score:1)
Re:What will be interesting... (Score:1)
This may prove to be a very interesting market for persons in the IT industry. (Lookout Lloyd's - here I come! *grin*) I imagine that such insurance agencies will also insist on having certain bare minimum security procedures fulfilled in order to even be eligible for coverage.
Interesting to see which OS would have higher premiums on average, eh?
Insure who? (Score:2)
I don't agree with the 'don't have to prevent hacking; they have to manage their risks.' bit.
If cracking was prevented they wouldn't have to spend so much money 'managing their risks'.
And one of the best ways to keep crackers away is to make sure they don't know about you. This is something Lloyds of London is not achieving with this kind of news coming up in Sci-Tech sites...
I bet they just got all kinds of crackers lining up to 'test' their new insurance...
Cracker Insurance (Score:2)
Less silly suing? (Score:2)
Unless they crack their own site, collect the insurance, and then sue their tech people for not being good enough to prevent their attack. That'd definately be silly.
Putting a $$ figure on damage (Score:3)
For example while the "I love you" virus pissed alot of people off and caused more then a few email servers to crawl to a holt, I think the estimate of 5 Billion dollars of damage was a little overstated.
After all how do you factor in Brand name damage, future loss revenue from deterred surfers and knock on advertising revenue effects when assessing a claim. No doubt most companies will pick a random figure and multiply it by 10.
I will be interested to read about the first claim.
Don't laugh (Score:4)
Sadly, they discontinued [knotwork.com] the service in the wake of the Heavens Gate cult suicide. Insane people are just too likely to make claims against the policy.
Counterpane is in the security monitoring business (Score:2)
Just like your insurance company may require you to install an alarm system before they cover you for burglary this type of insurance will require you to be audited and then continously monitored by a company like Counterpane systems.
----
Re:What will be interesting... (Score:2)
If this were applied to computer systems, it might become a market influence. It may provide incentive to some companies to improve the quality of their software if the risk for insecure products means losing business.
This will be a great step forward! (Score:2)
© Copyright 2000 Kristian Köhntopp
Yet Another Bad Idea(TM) (Score:2)
Insurance against Hackers or Crackers is uneconomic because the element of controllability is not present. The organization has various means at it's disposal to avoid service disruptions from firewall configuration to fully-redundant, offsite backup servers. Yes, they need good Risk Management, but Insurance is not the answer to every Risk Management problem.
Though if some deep-pockets on Lloyds want to chance going broke on poorly-conceived Insurance schemes, it wouldn't be the first time.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Hacking insurance! (Score:5)
Hackers have been known to attempt to undermine your business interests with subversive activities like replacing IIS [microsoft.com] with Apache [apache.org], and porting your product to Linux [linux.org]. Here's what we offer for protection:
Fraud... (Score:2)
Imagine a company insuring themselves against hackers, and then actually striking a deal with someone to hack into their system, damage some part of their system, and get rich off of the claim!
Maybe some good will come of this... (Score:3)
---