RE: Insurance

["Parisi, Robert" <Robert.Parisi () AIG com>]

just a couple of points of clarification:
1. many clients--amazon being one, the VISA CISP standards being another,
now require that all vendors--be they trading partners or service providers
demonstrate both adequate infosec/network security as well as proof of
insurance.

2. the insuranc emarket has hardended dramatically over the past
year--including professional liability coverage such that both price and
deductibles have risen

3. it is highly unlikely that a client's business interruption cvge or their
overall property policy for that matter, will respond to most types of
damage that can be caused by a tech service provider. The property
insurers(business interruption cvge is part of an overall property cvge and
is not usually sold on a stand alone basis) have for the last year placed an
exclusion on their policies that excludes from coverage any loss due to the
destruction, corrution, etc of data. The exclusion goes on as to other
issues like no coverage for loss arising out of a computer virus, etc. The
point being--and recent federal case law has borne this out--tradtional
property policies cover only physical damage to/loss of tangible
property--data beign deemed "intangible" for the purposes of insurance.


Regards,
 
Bob Parisi

Robert A. Parisi, Jr.
Senior Vice President and Chief Underwriting Officer
AIG eBusiness Risk Solutions
80 Pine Street, 8th Floor
NYC, NY 10005
Phone:    212-770-1691
Fax:        443-381-2473 (direct)
Fax:        212-770-5375 (general)
Pager:     877-356-3223 
Cell:        917-439-5844
8773563223 () skytel com <mailto:8773563223 () skytel com>
robert.parisi () aig com <mailto:robert.parisi () aig com>
www.aignetadvantage.com
 
NOTICE: This e-mail message and all attachments transmitted with it may
contain legally privileged and confidential information intended solely for
the use of the addressee. If the reader of this message is not the intended
recipient, you are hereby notified that any reading, dissemination,
distribution, copying, or other use of this message or its attachments is
strictly prohibited. If you have received this message in error, please
notify the sender immediately by telephone (212-770-1691) or by electronic
mail (robert.parisi () aig com), and delete this message and all copies and
backups thereof. Thank you.
 


-----Original Message-----
From: mis () seiden com [mailto:mis () seiden com]
Sent: Tuesday, November 26, 2002 8:37 PM
To: David Wray
Cc: pen-test () securityfocus com
Subject: Re: Insurance


i agree with all of the explanation and education part. it's part
of the sales process.

insurance is to protect against unexpected liability.  if neither you
nor your client believe there will be a meltdown, who's insisting on
insurance?  and the deductibles are so high, chances are you'll never
use your coverage.

i try to get my clients to give permission and to assume the
liabilities for my infosec testing.  (their business interruption
insurance will often protect against something awful.)

of course, if my ordinary testing crashes their systems, so can bugs or
insiders, and they typically assume those liabilities, so why not the 
costs involved in my testing?

for physical security testing (which i do) there are often 3rd parties
involved (e.g. colo or hosting facilities, and other tenants in the
facility), and i need multiple permissions, and i need to act as the
agent of the tenant in the facility.  i agree not to cause damage to
people or property in my testing.  (i suppose i could get electrocuted
crawling around in the ceiling or the floor, and that's my risk.  i
cracked a ceiling tile once.  that was my cost, but they said
"don't bother".).

i don't typically test whether the UPS switchover works by turning off
the colo building power, because of the exposure to other tenants
whose permission i'm unable to get.  i've been surprised by how long ago
this sort of thing has been tested.

in many cases, my testing is intended to test the time-to-detect,
time-to-recover or incident response.  the cost of the test is a
measure of the preparedness of the target of evaluation.  advance
warning resulting in heightened awareness or artificial minimization
of the test just to minimize possible costs etc. reduces the realism
of testing.

On Tue, Nov 26, 2002 at 05:57:29PM -0000, David Wray wrote:
> HI Lisa
>
> In our experience (In the UK at least), the Insurance side of pen testing
is
> much like the Legal side, i.e. you have to patiently explain to someone
> that's never heard of pen testing what you do, why you do it, who you do
it
> for, the pitfalls of pen testing, the likely outcome, expected turnover
etc
> etc. We have also had to show our working practises, how we update the
> testing, the CVs of the testers, our contracts etc etc.
>
> Our "You missed something and we've been hacked" insurance is covered
under
> our Professional Indemnity insurance, as is our "You've just killed our
> e-commerce platform and it won't restart" insurance. In my experience,
it's
> the experience and time served by your testing team that seems to have the
> biggest swing on premiums. How much cover you get is a good question, it's
> never enough!
>
>
> Regards
>
> Dave Wray
> Sec-Tec Ltd
> www.sec-tec.co.uk
>
> ----- Original Message -----
> From: "Lisa Dokes" <securitylists () hotmail com>
>
>
>
>
> ________________________________________________________________________
> Sec-Tec Ltd, CLAS Government listed specialists in information security
professional services. Visit http://www.sec-tec.co.uk for more information
on our services. This e-mail has been scanned for possible virus
contamination. However, we recommend that all recipients also scan this
message.
>
----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert
(SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please
see:
> https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/