RE: Lloyds to offer hacker insurance

["Kevin Tyrrell" <tyrrell () foremost com>]

> From our perspective writing a policy is akin to legalized gambling. We
accept your premiums and bet we can invest it and get a return on it before
we have to pay it back as a claim.

We have been insuring mobile homes, RVs and travel trailers for the last 45
years. In that time we've gotten to know these products really well. We
insure against the usual things - fire, theft, natural causes (tornadoes,
hurricanes, floods, lightning, etc). We have a pretty good idea of what to
expect in terms of exposures from this stuff. We can calculate our odds
pretty well since the exposures are pretty well known.

So Lloyds brings in some "experts" to review our security policy, inspect
our network, review our user training, interrogate all the users to make
sure they're honest, bla, bla, bla and they certify us as insurable
(secure). We're all set, we can go back to sleep now. The next month we have
hurricanes in Florida, floods in CA, tornadoes in Indiana. Someone decides
to have some fun and pushes through a hole in the new firewall system we
just installed. This brings our network down so we can't process claims.
After a day or two we'll be history. So Lloyds pays us a million $$, just
enough to pay for gracefully closing the doors.

Or say Lloyds insures a lot of companies who use version X.0 of OS YYY as
the basis for their firewall system. Of course they're all insurable
(secure), since they've been certified by the "experts". So what happens to
Lloyds when the next killer 'sploit is used on the majority of these systems
all at once. I don't see how Lloyds can calculate the odds of loss from an
exposure they don't even know exists. At least we're pretty sure we won't
see a bunch of mobile homes destroyed by volcanoes erupting in Tampa.

We are in the midst of installing a firewall and a direct Internet
connection. We have researched firewall systems very carefully for about a
year. We have put an enterprise wide security policy in place. We're
removing the back doors. We have started a security awareness program. We
also feed and house some of the "experts" every now and then. These types of
actions are what make up our insurance policy.

Buying insurance against "hackers" might actually make some companies less
secure. They have been certified as insurable (secure), so they can put
security on the back burner until its time for next year's checkup, then
they get whacked. But hey, they got insurance.


Kevin Tyrrell
Foremost Insurance Co.

Disclaimer:

These opiini^H^H damn! ^H^H ^Q ^[ .... :w  :q
:wq  :wq! ^d  ^X ^? exit X Q  ^C ^? :quitbye  Ctrl-Alt-Del   ~~q
:~q  logout  save/quit :!QUIT ^[zz ^[ZZZZZZ ^vi  man vi ^@
^L  ^[c  ^# ^E ^X ^I ^T ? help  helpquit ^D  ^d !! man help ^C
^c:e! help exit ?Quit ?q Ctrl-Shft-Del "Hey, what does Stop L1A
d..."



-----Original Message-----
From: owner-firewall-wizards () nfr net
[mailto:owner-firewall-wizards () nfr net]On Behalf Of David Lang
Sent: Tuesday, April 28, 1998 9:52 am
To: Marcus J. Ranum
Cc: Firewall Wizards List
Subject: Re: Lloyds to offer hacker insurance


-----BEGIN PGP SIGNED MESSAGE-----

Remember what insurance boils down to, a gamble

... snip ...