January 28th, 2003, 02:36 PM
i was reading this and i couldnt help but smile, hacker insurance is what they are calling it. I think its a good idea actually. story taken from zdnet.com. check it out
LOS ANGELES--The computer worm that clogged Internet traffic and shut down vulnerable corporate networks this weekend also provided another boost to the emerging market for hacker insurance, experts said on Monday.
Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections.
This weekend's Internet attack, which virtually cut off Internet access in South Korea and toppled other networks worldwide, underlined the impossibility of total computer security, said Counterpane Internet Security Chief Technology Officer Bruce Schneier.
"I believe that within a few years hacking insurance will be ubiquitous," Schneier said. "The notion that you must rely on prevention is just as stupid as building a brick wall around your house. That notion is just wrong."
While investigators continued to probe the identity of the culprit behind the "SQL Slammer" worm, companies were tallying the economic cost of the attack, which continues to grow as businesses become more dependent on Internet infrastructure to conduct their business.
At the same time, some security experts questioned whether insurance policies would be effective, given that many of them exclude more incidents than they cover, given the unpredictability of where and how an attack could come.
Still, the hacker insurance field got a big boost on Jan. 1, when many existing commercial general liability policies expired and were replaced by policies that contain explicit exclusions for hacker-related losses, attorney Robert Steinberg of Latham & Watkins in Los Angeles told clients in a recent brief.
"Particularly given the post-Sept. 11 climate, fears about how such vulnerabilities and attendant magnitudes of loss might impact on national security have reached a critical mass," Steinberg wrote. "That hacking represents a danger to any industry and any type of business is by now a veritable truism."
The SQL Slammer virus, which was a deceptively small and short program that could be easily overlooked, also underscored the increasing sophistication and unpredictable nature of attacks, making it virtually impossible to quantify their impact, experts said.
Although the economic implications of hack attacks are poorly understood, Steinberg said, the Bush administration has pushed insurers to work with businesses to establish a security baseline for critical infrastructure in the private sector, just as insurers made seatbelts an auto safety requirement.
Incentives are already being offered for companies that use software products and procedures whose reliability is borne out in the industry's vast database, said Ty Sagalow, executive vice president and chief operating officer for AIG's eBusiness and Risk Solutions.
Nearly 70 percent of the network security insurance policies now in circulation were written by AIG. The company offers several coverage plans culminating in the Complete netAdvantage policy, which includes asset and income protection and extortion coverage. The deluxe policy also includes a $50,000 reward for information leading to the conviction of cyber criminals and money to hire a public relations firm for image repair.
The price of the policies vary widely, from a couple of thousand dollars for a small business policy to as much as $1 million per $25 million worth of coverage, experts said.
But getting hacker insurance may require companies to jump through significant hoops for a product that may, because of a lack of legal precedent, exclude more than it covers, Steinberg said.
Insurers typically require a third-party assessment of an applicant's existing security system--which cost up to $50,000--as well as evidence that the company's board has taken reasonable steps to protect its network from hackers.
Applicants may be required to engage additional risk management processes to qualify, such as installing surveillance and intrusion detection software, requiring password changes and performing routine security checks.
Insurers attempted to define "best practices," "reasonable steps" and "standard of care" from a formal standard known as the International Organization for Standards, but the legal reality of how the policies will be interpreted in the event of a dispute is hazy, Steinberg said.
"The problem with references to reasonable steps or reasonable efforts... is that 'reasonableness' remains open to discussion because of emerging security standards," Steinberg said.