Return-Path: <sentto-279987-3984-1007082616-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 29 Nov 2001 17:13:08 -0800 (PST) Received: (qmail 7791 invoked by uid 510); 30 Nov 2001 01:10:43 -0000 Received: from n7.groups.yahoo.com (216.115.96.57) by all.net with SMTP; 30 Nov 2001 01:10:43 -0000 X-eGroups-Return: sentto-279987-3984-1007082616-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.221] by n7.groups.yahoo.com with NNFMP; 30 Nov 2001 01:10:18 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 30 Nov 2001 01:10:16 -0000 Received: (qmail 96037 invoked from network); 30 Nov 2001 01:10:13 -0000 Received: from unknown (216.115.97.167) by m3.grp.snv.yahoo.com with QMQP; 30 Nov 2001 01:10:13 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta1.grp.snv.yahoo.com with SMTP; 30 Nov 2001 01:10:12 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAU1C8C14949 for iwar@onelist.com; Thu, 29 Nov 2001 17:12:08 -0800 Message-Id: <200111300112.fAU1C8C14949@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 29 Nov 2001 17:12:08 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Cyberinsurance:.As.the.risk.increases,.so.will.the.interest.in.policies.and.the.cost.of.premiums.] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cyberinsurance: As the risk increases, so will the interest in policies and the cost of premiums. By Colleen Brush, Information Security, 11/29/2001 <a href="http://www.infosecuritymag.com/articles/november01/industry_cyberinsurance.shtml">http://www.infosecuritymag.com/articles/november01/industry_cyberinsurance.shtml> Since its inception, cyberinsurance has been billed as a way for companies to underwrite potential hacking losses for things technology cannot protect. The concept of insuring digital assets has been slow in catching on because the risks and damages were hard to quantify and put a price tag on. The Sept. 11 terrorist attacks quickly elevated corporate America's interest in cyberinsurance, as industry magnates looked for ways to mitigate their exposure to cyberterrorism and security breaches. At the same time, it has become harder to find underwriters willing to insure multimillion-dollar cyberspace policies. For carriers willing to sell such paper, the premiums have skyrocketed. "I think prior to Sept. 11, the focus, when it comes to information security, has been on critical infrastructure," says Jeffery S. Grange, VP and global manager of fidelity financial products at insurance company Chubb & Sons, Inc. "Post-Sept. 11, it has shifted to homeland defense and trying to understand whether or not financial institutions and other critical infrastructure such as telecommunications are vulnerable to cyberterrorism." Insurance stalwarts such as Lloyd's of London, AIG and Zurich now offer policies for everything from hacker intrusions to network downtime. The breadth of cyberinsurance policies is growing, from simple hacker intrusion, disaster recovery and virus infection to protection against hacker extortion, identity theft and misappropriation of proprietary data, Grange says. While the market was already moving to provide policies to cover these risks, many executives viewed cyber-insurance as a luxury that yielded few tangible benefits. Ken Cutler, managing director of the Information Security Institute (www.misti.com), says many risk managers buried their heads in the sand, believing they would never need anything like cyberinsurance. "There was a naivete on the part of senior management," Cutler says." IT managers were not willing to admit they had to fix something of that magnitude, because they are afraid to go ask for the money." The aftermath of the attacks illustrate the interconnectedness of all systems; financial services, information and communications, transportation, electrical power, fire and police, says Lee Zeichner, president of LegalNet Works. "They all relate in profound ways we are only now beginning to understand," Ziechner says. Businesses are starting to think about what type of recovery position they would be in if something similar to the World Trade Center attack happened to them, industry analysts say. "Some of the disaster recovery plans I have seen, more often than not, I'm not sure they would do quite well as an American Express or Merrill Lynch did," Cutler says. While the cyberinsurance market may reap growth in the wake of the tragedy, carriers are tightening the terms and conditions of policies. Premiums are going up significantly, and underwriters are hesitating to sign big policies, industry experts say. In the past, companies seeking a $25 million policy could find someone to cover them. Now, it's much more difficult. Underwriters who didn't blink at $5 million or $10 million policies would rather insure $1 million policies, say cyberinsurance brokers. "The marketplace is in transition, and there's undoubtedly a hardening of trading conditions for both traditional property and casualty insurance, as well as the emerging new e-commerce products," Grange says. Premiums on cyberinsurance are an easy mark for price hikes because there's little historical data on which to set premiums. It's difficult to pinpoint the losses if data is corrupted, a network is hacked or system uptime is disrupted. The fear of bad publicity keeps many companies mum on hacking incidents, which makes it more difficult to collect data for projecting future losses. In order to develop robust cyberinsurance, two major developments need to take place, Zeichner says. First, sufficient actuarial data needs to be collected. Second, insurance carriers need to gain a better understanding of the IT systems in use and how they interact with other information and automated systems. Industry analysts predict underwriters will push any changes in cyberinsurance offerings and the systems used by policyholders. The first indication of this trend came earlier this year when J.S. Wurzler Underwriting Managers tacked a 5 to 15 percent surcharge on cyberinsurance premiums for users of Windows NT on IIS servers, citing their poor security track record, which makes them more expensive to insure. "I think the underwriters are going to force the issue by saying, 'Look, if you lose your whole business, if things like that happen, you can expect to pay a higher premium,'" Cutler says. COLLEEN BRUSH (<a href="mailto:cmbrush@hotmail.com?Subject=Re:%20(ai)%20Cyberinsurance%2526In-Reply-To=%2526lt;200111291421.fATELqa22402@smtpsrv2.mitre.org">cmbrush@hotmail.com</a>) is a business reporter for the MetroWest Daily News in Framingham, Mass. She has nearly 10 years experience in print journalism and public relations. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/3FDzZA/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST