In-Reply-To: <[EMAIL PROTECTED]>
Jeff and Nathan make some interesting points. There is likely a market there, but it is not clear who is buying and who is selling as of yet. I would add that the significant compliating factor for IT security insurance is the lack of loss data which would allow the creation of a viable business model. With a large amount of loss information, risk can be quantized with fiducial calculations. Unfortunately, seldom is actual loss due to hacking and other security related mechanisms well characterized, nor to companies want to share that information with an underwriter. The positive side is that estimates or a fixed dollar amount can be ascribed to an insurable loss (Betty Grable insured her legs...). Therefore, a company could transfer risk to an insurer if they decide that an accident or incident could require some particular dollar figure. Bruce Schneier touches on this subject in this presentation I heard him give last May. He's right on the mark and I agree with his arguments. http://www.counterpane.com/presentation4.pdf Also, Heather Eikenberry has written a nice paper (from Jan 2001) on the subject. http://www.sans.org/rr/casestudies/insurance.php Cheers, Tom > >Nathan, > >You've just described the tip of a giant iceberg that, so far, hasn't >made it onto the mainstream radar yet. >I don't have a great deal of insight, but have been following >developments in this space. More and more IT security >groups/departments/managers are starting to realize security is a risk >and exposure issue, not a technology issue. I believe that as this >trend grows, alternative risk management solutions such as cyber >insurance will become more common. I think the challenge is the >development of universally accepted standards that define just what >constitutes an acceptable enterprise security program. However, many >factors make this very difficult. A few are; the constant emergence of >new technologies, the broad landscape of diverse and disparate systems, >inherently flawed commercial software applications, and vertical >specific compliance legislation. > >Right now it's a big gordian knot without any easily defined path >towards sorting it out. This is changing though, and it will be >interesting to see how things shake out. > >Jeff > >ps - If I come across any interesting reference material, I'll email you >offline > >Nathan Ouellette wrote: > >>I've posted my resume to this thread before, so I won't bother with any >>repeat details, but I was wondering if anyone has any leads regarding >>risk technology or specifically 'cyber policies' and insurance related >>endeavors. I'm currently looking for work in this field. >> >>I have a pretty solid IT and security background, specifically a lot of >>time spent in the insurance industry. I've recently landed a >>semi-techincal role with a Risk Management firm and deal specifically >>with liability and loss mitigation. I've been keeping abreast on the >>latest insurance news and I see that more and more carriers are >>providing 'cyber policies' to their clients. From what I gather, >>premiums and revenue for this coverage is expected to skyrocket in the >>near future. I've also read that several carriers are requiring their >>clients to 'prove' they are minimizing their risk by tightening their >>systems and locking down security, this of course is the equivelent of >>leading a healthy lifestyle in order to obtain a smaller premium on your >>life insurance policies. >> >>The floor that I work on just happens to be divided up between my group >>and several other insurance brokerage groups. On a daily basis I hear >>clients asking the brokers to find them a policy for this type of >>coverage, but most of the sales people seem clueless as to what's going >>on in the insurance/risk marketplace with these types of policies. This >>has really piqued my interest about this new market and I am now >>actively seeking employment within it's realm. >> >>My query is to anyone familiar with this line of business. This could >>be a great trend for security experts as more and more companies might >>be looking for experts to audit client networks in order to be approved >>for coverage (even better, IT candidates who have an insurance >>background). Or perhaps to brokerage houses acting as the middleman >>between the carrier and the client. Does anyone have any sort of leads >>or perhaps a good resource for finding careers or perhaps introducing >>our talents to these insurance folks who might be just now diving into >>this new marketplace? >> >> >>Respectfully, >> >>Nathan Ouellette, MCSE, CISSP >>Sterling Heights, MI >>[EMAIL PROTECTED] >> >> >> >> >> >> > >-- >Jeff Combs >Alta Associates, Inc. >908-806-8442 >908-806-8443 fax >[EMAIL PROTECTED] >visit us at www.altaassociates.com > > > > >
