OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: Lloyds to offer hacker insurance

Re: Lloyds to offer hacker insurance

David Lang (dlangdiginsite.com)
Tue, 28 Apr 1998 06:52:00 -0700 (PDT)

-----BEGIN PGP SIGNED MESSAGE-----

Remember what insurance boils down to, a gamble

you are betting that you will need the insurance.
The company is betting that you will not.

on this basis ANYTHING can be insured for a profit if the odds are calculated
correctly.

David Lang

On Mon, 27 Apr 1998, Marcus J. Ranum wrote:

> Date: Mon, 27 Apr 1998 09:35:45 -0400
> From: "Marcus J. Ranum" <mjrnfr.net>
> To: Firewall Wizards List <firewall-wizardsnfr.net>
> Subject: Re: Lloyds to offer hacker insurance
>
> Adam Shostack wrote:
> >I'm very curious as to what people think of the idea of insurance for
> >infosec failures. Will it encourage standards of due dilligence and
> >due care for the industry, the way bank insurance has driven bank
> >safes to be stronger and stronger?
>
> I'm sure that it will, so it's a good thing. Presumably the insurance
> premium will be somehow tied to whether or not you observe due diligence
> at varying levels. I expect they tie it to some kind of review of
> existing practices -- much like when you get a million dollar life
> insurance policy in the US: they draw blood, do an EKG, and urinalysis.
> Very different from getting a $50,000 life insurance policy. You'll
> note the quote in the article from the guy from Asset Management
> Solutions, Inc, which helps with the assessments. About a year ago
> NCSA (now ICSA) did a similar deal where you could get web site
> insurance through Prudential, if you first passed their test. I
> suspect a lot of this is really a game to sell a high-priced ISS
> scan, which probably costs more than the insurance policy.
>
> Of course, as the CEO of a company that makes the Internet's most
> butt-kicking network event recorder, I'm thrilled to death to see
> this kind of thing, because it'll make NFR money. :) One of the
> things that's got to come up if anyone ever tries to lodge a claim,
> is proving that the damage was covered by the insurance! Let's say
> you have "firewall insurance" --- OOOPS you gotta be able to prove
> they broke in through the firewall, not the dialin server, because
> you don't have "modem pool insurance" And was that attack really
> covered by "firewall insurance"? It might have been an attack
> applet not covered because you didn't pay for the "java insurance"
> rider policy. Etc, etc. There's infinite room here for finger
> pointing. It's going to drive a whole new market for event
> recording, if it takes off.
>
> My guess is that "security insurance" isn't going to take off in
> a big way. Companies are already sensitive about spending $$ to do
> security in the first place -- why would they spend $$$$ to avoid
> it?
>
> mjr.
> --
> Marcus J. Ranum, CEO, Network Flight Recorder, Inc.
> work - http://www.nfr.net
> home - http://www.clark.net/pub/mjr
>
>

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.0
Charset: noconv

iQEVAwUBNUXfAz7msCGEppcbAQG0CggArK6nk7h5DVlmQlCokeFWmxuXKVgtPRAQ
Zrg3aJGSVASKWfp8iRAVGaqK8q3F+rZjm5OrqAbRyYFNo/mjO20lfFguDHUUfecA
gRxHliKL370VjCjjj+P/WTDKj0/AGO1Ya+3RgOejrqll+dytlnGOdbQw9Jc+Epyp
jiYnIWT9aroFyogeBl5Ys4UTACR+5KT1tGGrBlrgmJuRDJx62pMAwf6ZudznT6iY
7hiIx+1f+Jsou359j7QLD9pEwAjgzwfigmlA3eFTcLoR6s6yDtjhcCVbY+o4pZ8R
zPG3XqKLD1UUz9RLLgEXVbCiaTwRbtd0Z1z6LKXPtDmW5ZrtZyv6vQ==
=agjf
-----END PGP SIGNATURE-----

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:10:48 CDT