This is a text attachment that I did a quick vim editing job on, but it
is quite readable.
Smitty
Insurer Considers Microsoft NT
High-Risk
By Robert Bryce, Interactive Week
1-2 of 2 May 28, 2001 2:45 AM PT
smitty 5/29/01
8:44 AM Microsoft's server software is
PDT easy to install, loaded with
Well, your predictions on features and fairly reliable. It
insuring computers is may also be more costly to insure
panning out! against hack attacks.
To Add a Comment: .
Click the "Add Comment" J.S. Wurzler Underwriting
button (above) to Managers, one of the first
privately discuss this companies to offer hacker
article. insurance, has begun charging its
clients 5 percent to 15 percent
more if they use Microsoft's
Windows NT software in their
Internet operations. Although
several larger insurers said they
won't increase their NT-related
premiums, Wurzler's announcement
indicates growing frustration
with the ongoing discoveries of
vulnerabilities in Microsoft's
products.
Some industry observers believe
other insurers may follow
Wurzler's lead, which could
affect the overall hacker
insurance market, a sector that
the Insurance Information
Institute estimates may generate
$2.5 billion in annual premiums
by 2005.
"We saw that our NT-based clients
were having more downtime" due to
hacking, says John Wurzler,
founder and CEO of the Michigan
company, which has been selling
hacker insurance since 1998.
Wurzler said the decision to
charge higher premiums was not
mandated by the syndicates
affiliated with Lloyd's of London
that underwrite the insurance he
sells. Instead, the move was
based on findings from 400
security assessments that his
firm has done on small and
midsize businesses over the past
three years.
Wurzler found that system
administrators working on open
source systems tend to be better
trained and stay with their
employers longer than those at
firms using Windows software,
where turnover can exceed 33
percent per year. That turnover
contributes to another problem:
System administrators are not
implementing all the patches that
have been issued for Windows NT,
Wurzler said.
According to Microsoft's Web
site, more than 50
vulnerabilities - and the patches
to fix them - have been issued
for Windows NT server software
since June 1998.
Microsoft spokesman Jim Desler
said the hacker insurance market
is still too young to declare
Wurzler's move a trend. "There's
not enough history or business to
draw conclusions about
rate-setting practices," Desler
said. As the market matures,
rates are likely to be based on
best practices, rather than on
platforms or products, he
predicted. "We provide
unparalleled support in the area
of security."
American International Group, the
country's largest insurance
underwriter, said it will not
raise its rates for Windows
NT-based systems. Nor will Aon,
the world's second largest
insurance broker. The use of NT
is "just one factor in the
overall assessment of risks. It
can be an indicator of other
vulnerabilities, but you may also
have other things in place to
counter that, like firewalls and
intrusion-detection systems,"
said Kevin Kalinich, a director
in Aon's technology and
telecommunications group.
However, Harry Croydon, CEO of
Safeonline, a London risk
analysis firm that works with
underwriters at Lloyd's,
predicted that Wurzler's decision
to charge more for Windows NT
machines is "a trend we will see
increasing." Just as drivers who
own rare cars pay more to insure
them, Croydon said, "certain
types of software expose you to
different risks."
Although Wurzler's company is
small - eight employees - digital
security firms are watching it
closely. Bruce Schneier,
Counterpane Internet Security's
co-founder and chief technical
officer, said it makes sense for
underwriters to differentiate
premiums based on the type of
software and hardware that's
used. "Insurance companies are
looking to manage their risk
effectively. If there's a
technology that reduces risk,
they'll charge lower premiums,"
Schneier said.
Indeed, several insurers offer
discounts to clients that use
managed security service
providers or put certain security
devices on their networks. For
example, last week, AIG said it
will cut premiums up to 10
percent for clients that use a
new security device made by
Invicta Networks, a Virginia
company headed by Victor Sheymov,
a former KGB agent. Invicta
claims its device, which uses an
Internet Protocol
address-shifting technology, is
impossible to hack.
Windows-based servers are
frequently victimized by hackers.
From August 1999 to November
2000, 56 percent of all the
successful, documented hack
attacks occurred on systems using
Microsoft server software,
according to statistics posted at
Attrition.org, a Web site that
records hackers' exploits.
Given Windows NT's record, Gene
Spafford, the director of Purdue
University's Center for Education
and Research in Information
Assurance and Security, believes
higher insurance premiums may be
justified. "NT is more difficult
to install correctly and keep up
to date than Linux," Spafford
said.
Right now, it appears that
Wurzler is going it alone among
insurers by charging higher
premiums to Windows NT users. But
Wurzler said the higher prices
are not costing his company
customers.
A policy covering revenue lost
due to hacking costs about $4,000
per year for each $1 million in
coverage, he said.
About half of his clients use
Windows NT, Wurzler said; the
rest use Linux or Unix. Given
that breakdown, he said it's easy
to justify higher rates for NT
machines. "Why should a Unix
player with fewer vulnerabilities
subsidize NT users?" Wurzler
asked.
And Wurzler's not through with
Microsoft. He said his firm is
looking at vulnerabilities in
Microsoft's Internet Information
Server software, and that it may
soon begin charging higher
premiums for that product, too.
Sign up to receive ZDNet Newsletters
| Zaplet Help | Zaplet Feedback |
Copyright © 1999-2001 Zaplet, Inc. All rights reserved. Patent pending.
Use of Zaplets and the Zaplet web site constitutes acceptance of our Privacy
Policy and Terms of Service.
Tech Jobs | ZDNet e-centives | Free E-mail |
Newsletters | Updates | MyZDNet | Alerts | Rewards |
Join ZDNet | Members
Feedback | Your Privacy | Service Terms | Advertise
Copyright © 2000 ZD Inc. All rights reserved. ZDNet and the ZDNet logo are
trademarks of ZD Inc.
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 15:56:30 EDT