"C|Net is running a story today (as is ZDnet) reporting that
Lloyd's of London will offer up to $100 million in
insurance coverage to clients of computer-security management firm
Counterpane Security against hacker-related losses to its business
or its customers.
How nice. But naturally, I have a few complaints to make - and here
"First, let's be clear that this is already old news. Back in
mid-February, HP announced that a group of HP users, Interex, had
arranged insurance for loss of ecommerce revenue through J.S.
Wurzler, and American International Group (AIG) began offering
"hacker insurance" in January of this year through Tri-City
Brokerage, Inc., but according to the product info, this is now
underwritten by Lloyd's."
"Besides - and this is the biggie - I question the ability
of the insurance industry as it stands to properly underwrite this
exposure. Don't forget, you simply can't innoculate yourself
against DDos attacks, no matter how much fear they spread... and
that's the exact reason you want this coverage, isn't it? For
circumstances beyond your control? I'd suggest managing your risk
through whatever the IT department comes up with, backed with
contract language. Maybe you're asking your provider for an uptime
guarantee that is broad enough to include outages as a result of
DDos attacks - but if you're the provider, you shouldn't be giving
such assurances, because as you recall from a Penguinista report
last February, you can't. DDos attacks are the standard motivation
for insurance, but remember the phrase, "Well, you weren't cracked,
you were smurfed."