[SLUG] Good article on O.S. insurance

From: Smitty (76543a@mpinet.net)
Date: Tue May 29 2001 - 15:17:54 EDT


This is a text attachment that I did a quick vim editing job on, but it
is quite readable.
Smitty

                        
                      Insurer Considers Microsoft NT
                                          High-Risk
                                          By Robert Bryce, Interactive Week
                 1-2 of 2 May 28, 2001 2:45 AM PT
        smitty 5/29/01
                           8:44 AM Microsoft's server software is
                               PDT easy to install, loaded with
        Well, your predictions on features and fairly reliable. It
        insuring computers is may also be more costly to insure
        panning out! against hack attacks.
        To Add a Comment: .
        Click the "Add Comment" J.S. Wurzler Underwriting
        button (above) to Managers, one of the first
        privately discuss this companies to offer hacker
        article. insurance, has begun charging its
                                          clients 5 percent to 15 percent
                                          more if they use Microsoft's
                                          Windows NT software in their
                                          Internet operations. Although
                                          several larger insurers said they
                                          won't increase their NT-related
                                          premiums, Wurzler's announcement
                                          indicates growing frustration
                                          with the ongoing discoveries of
                                          vulnerabilities in Microsoft's
                                          products.

                                          Some industry observers believe
                                          other insurers may follow
                                          Wurzler's lead, which could
                                          affect the overall hacker
                                          insurance market, a sector that
                                          the Insurance Information
                                          Institute estimates may generate
                                          $2.5 billion in annual premiums
                                          by 2005.

                                          "We saw that our NT-based clients
                                          were having more downtime" due to
                                          hacking, says John Wurzler,
                                          founder and CEO of the Michigan
                                          company, which has been selling
                                          hacker insurance since 1998.

                                          Wurzler said the decision to
                                          charge higher premiums was not
                                          mandated by the syndicates
                                          affiliated with Lloyd's of London
                                          that underwrite the insurance he
                                          sells. Instead, the move was
                                          based on findings from 400
                                          security assessments that his
                                          firm has done on small and
                                          midsize businesses over the past
                                          three years.

                                          Wurzler found that system
                                          administrators working on open
                                          source systems tend to be better
                                          trained and stay with their
                                          employers longer than those at
                                          firms using Windows software,
                                          where turnover can exceed 33
                                          percent per year. That turnover
                                          contributes to another problem:
                                          System administrators are not
                                          implementing all the patches that
                                          have been issued for Windows NT,
                                          Wurzler said.

                                          According to Microsoft's Web
                                          site, more than 50
                                          vulnerabilities - and the patches
                                          to fix them - have been issued
                                          for Windows NT server software
                                          since June 1998.

                                          Microsoft spokesman Jim Desler
                                          said the hacker insurance market
                                          is still too young to declare
                                          Wurzler's move a trend. "There's
                                          not enough history or business to
                                          draw conclusions about
                                          rate-setting practices," Desler
                                          said. As the market matures,
                                          rates are likely to be based on
                                          best practices, rather than on
                                          platforms or products, he
                                          predicted. "We provide
                                          unparalleled support in the area
                                          of security."

                                          American International Group, the
                                          country's largest insurance
                                          underwriter, said it will not
                                          raise its rates for Windows
                                          NT-based systems. Nor will Aon,
                                          the world's second largest
                                          insurance broker. The use of NT
                                          is "just one factor in the
                                          overall assessment of risks. It
                                          can be an indicator of other
                                          vulnerabilities, but you may also
                                          have other things in place to
                                          counter that, like firewalls and
                                          intrusion-detection systems,"
                                          said Kevin Kalinich, a director
                                          in Aon's technology and
                                          telecommunications group.

                                          However, Harry Croydon, CEO of
                                          Safeonline, a London risk
                                          analysis firm that works with
                                          underwriters at Lloyd's,
                                          predicted that Wurzler's decision
                                          to charge more for Windows NT
                                          machines is "a trend we will see
                                          increasing." Just as drivers who
                                          own rare cars pay more to insure
                                          them, Croydon said, "certain
                                          types of software expose you to
                                          different risks."

                                          Although Wurzler's company is
                                          small - eight employees - digital
                                          security firms are watching it
                                          closely. Bruce Schneier,
                                          Counterpane Internet Security's
                                          co-founder and chief technical
                                          officer, said it makes sense for
                                          underwriters to differentiate
                                          premiums based on the type of
                                          software and hardware that's
                                          used. "Insurance companies are
                                          looking to manage their risk
                                          effectively. If there's a
                                          technology that reduces risk,
                                          they'll charge lower premiums,"
                                          Schneier said.

                                          Indeed, several insurers offer
                                          discounts to clients that use
                                          managed security service
                                          providers or put certain security
                                          devices on their networks. For
                                          example, last week, AIG said it
                                          will cut premiums up to 10
                                          percent for clients that use a
                                          new security device made by
                                          Invicta Networks, a Virginia
                                          company headed by Victor Sheymov,
                                          a former KGB agent. Invicta
                                          claims its device, which uses an
                                          Internet Protocol
                                          address-shifting technology, is
                                          impossible to hack.

                                          Windows-based servers are
                                          frequently victimized by hackers.
                                          From August 1999 to November
                                          2000, 56 percent of all the
                                          successful, documented hack
                                          attacks occurred on systems using
                                          Microsoft server software,
                                          according to statistics posted at
                                          Attrition.org, a Web site that
                                          records hackers' exploits.

                                          Given Windows NT's record, Gene
                                          Spafford, the director of Purdue
                                          University's Center for Education
                                          and Research in Information
                                          Assurance and Security, believes
                                          higher insurance premiums may be
                                          justified. "NT is more difficult
                                          to install correctly and keep up
                                          to date than Linux," Spafford
                                          said.

                                          Right now, it appears that
                                          Wurzler is going it alone among
                                          insurers by charging higher
                                          premiums to Windows NT users. But
                                          Wurzler said the higher prices
                                          are not costing his company
                                          customers.

                                          A policy covering revenue lost
                                          due to hacking costs about $4,000
                                          per year for each $1 million in
                                          coverage, he said.

                                          About half of his clients use
                                          Windows NT, Wurzler said; the
                                          rest use Linux or Unix. Given
                                          that breakdown, he said it's easy
                                          to justify higher rates for NT
                                          machines. "Why should a Unix
                                          player with fewer vulnerabilities
                                          subsidize NT users?" Wurzler
                                          asked.

                                          And Wurzler's not through with
                                          Microsoft. He said his firm is
                                          looking at vulnerabilities in
                                          Microsoft's Internet Information
                                          Server software, and that it may
                                          soon begin charging higher
                                          premiums for that product, too.

                    Sign up to receive ZDNet Newsletters

                     | Zaplet Help | Zaplet Feedback |
   Copyright © 1999-2001 Zaplet, Inc. All rights reserved. Patent pending.
Use of Zaplets and the Zaplet web site constitutes acceptance of our Privacy
                        Policy and Terms of Service.
                       Tech Jobs | ZDNet e-centives | Free E-mail |
                  Newsletters | Updates | MyZDNet | Alerts | Rewards |
                                    Join ZDNet | Members
                   Feedback | Your Privacy | Service Terms | Advertise

Copyright © 2000 ZD Inc. All rights reserved. ZDNet and the ZDNet logo are
trademarks of ZD Inc.



This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:56:30 EDT