-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Jeff, I agree with you and so far only a handful of companies offer such type of insurance. If it ever becomes ubiquitous the difficulty will increase on setting these standards but I suspect it won't be the largest challenge. Insurers like AIG or Llyods these days rely on assessments of trusted security firms which in turn use BS7799 or various NIST standards. As you've mentioned, it's not about the technical details but the exposure to risk and liability. I am no expert but I know insurers heavily rely on statistical models to forecast risk and there is simply a great dearth of data in this area. This sort of information is hardly divulged and the little that's availalble has limited utility due to complex dependencies specific to the company. One can purchase business insurance if travelling in less developed countries. An insurer sells such a policy based on the aggregated probabilty of getting kidnapped, killed, etc, using updated (sometimes daily) metrics. I predict we will see wider use of cyber policies as groups like dshield.org and securityfocus grow and collect more historical data, insurance companies motivated by the potential of this new market will create risk models to use whatever data is available. Below is a general article from last year that might be of interest: http://www.businessweek.com/bwdaily/dnflash/apr2002/nf2002042_8163.htm Cheers ray On Tuesday 11 February 2003 09:32 am, Jeff Combs wrote: > Nathan, > > You've just described the tip of a giant iceberg that, so far, hasn't > made it onto the mainstream radar yet. > I don't have a great deal of insight, but have been following > developments in this space. More and more IT security > groups/departments/managers are starting to realize security is a risk > and exposure issue, not a technology issue. I believe that as this > trend grows, alternative risk management solutions such as cyber > insurance will become more common. I think the challenge is the > development of universally accepted standards that define just what > constitutes an acceptable enterprise security program. However, many > factors make this very difficult. A few are; the constant emergence of > new technologies, the broad landscape of diverse and disparate systems, > inherently flawed commercial software applications, and vertical > specific compliance legislation. > > Right now it's a big gordian knot without any easily defined path > towards sorting it out. This is changing though, and it will be > interesting to see how things shake out. > > Jeff > > ps - If I come across any interesting reference material, I'll email you > offline > > Nathan Ouellette wrote: > >I've posted my resume to this thread before, so I won't bother with any > >repeat details, but I was wondering if anyone has any leads regarding > >risk technology or specifically 'cyber policies' and insurance related > >endeavors. I'm currently looking for work in this field. > > > >I have a pretty solid IT and security background, specifically a lot of > >time spent in the insurance industry. I've recently landed a > >semi-techincal role with a Risk Management firm and deal specifically > >with liability and loss mitigation. I've been keeping abreast on the > >latest insurance news and I see that more and more carriers are > >providing 'cyber policies' to their clients. From what I gather, > >premiums and revenue for this coverage is expected to skyrocket in the > >near future. I've also read that several carriers are requiring their > >clients to 'prove' they are minimizing their risk by tightening their > >systems and locking down security, this of course is the equivelent of > >leading a healthy lifestyle in order to obtain a smaller premium on your > >life insurance policies. > > > >The floor that I work on just happens to be divided up between my group > >and several other insurance brokerage groups. On a daily basis I hear > >clients asking the brokers to find them a policy for this type of > >coverage, but most of the sales people seem clueless as to what's going > >on in the insurance/risk marketplace with these types of policies. This > >has really piqued my interest about this new market and I am now > >actively seeking employment within it's realm. > > > >My query is to anyone familiar with this line of business. This could > >be a great trend for security experts as more and more companies might > >be looking for experts to audit client networks in order to be approved > >for coverage (even better, IT candidates who have an insurance > >background). Or perhaps to brokerage houses acting as the middleman > >between the carrier and the client. Does anyone have any sort of leads > >or perhaps a good resource for finding careers or perhaps introducing > >our talents to these insurance folks who might be just now diving into > >this new marketplace? > > > > > >Respectfully, > > > >Nathan Ouellette, MCSE, CISSP > >Sterling Heights, MI > >[EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE+SUWhzejBliQ3SdsRAk7VAKCr7d/dFXm5+hjKJuTHmW1z/p9l0QCfb+fv 8U9+jwUk9/1BRXayrahxDxk= =WO2w -----END PGP SIGNATURE-----
