<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    <div class="moz-cite-prefix">+1<br>
      <br>
      add to this business continuity, termination, archived data
      preservation requirements and we'll have a clear answer why ant
      what kind of insurance we need.<br>
      <br>
      Thanks,<br>
      M.D.   <br>
      <br>
      On 12/19/2014 5:16 PM, Dean Coclin wrote:<br>
    </div>
    <blockquote
cite="mid:14D026C7F297AD44AC82578DD818CDD037FF8A4585@TUS1XCHEVSPIN35.SYMC.SYMANTEC.COM"
      type="cite">
      <meta http-equiv="Content-Type" content="text/html;
        charset=windows-1252">
      <meta name="Generator" content="Microsoft Word 14 (filtered
        medium)">
      <style><!--
/* Font Definitions */
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Helvetica;
        panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
        {font-family:Calibri;
        panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
        {font-family:Tahoma;
        panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
        {margin:0in;
        margin-bottom:.0001pt;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
        {mso-style-priority:99;
        color:blue;
        text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
        {mso-style-priority:99;
        color:purple;
        text-decoration:underline;}
p
        {mso-style-priority:99;
        mso-margin-top-alt:auto;
        margin-right:0in;
        mso-margin-bottom-alt:auto;
        margin-left:0in;
        font-size:12.0pt;
        font-family:"Times New Roman","serif";}
p.MsoAcetate, li.MsoAcetate, div.MsoAcetate
        {mso-style-priority:99;
        mso-style-link:"Balloon Text Char";
        margin:0in;
        margin-bottom:.0001pt;
        font-size:8.0pt;
        font-family:"Tahoma","sans-serif";}
span.BalloonTextChar
        {mso-style-name:"Balloon Text Char";
        mso-style-priority:99;
        mso-style-link:"Balloon Text";
        font-family:"Tahoma","sans-serif";}
span.EmailStyle20
        {mso-style-type:personal-reply;
        font-family:"Calibri","sans-serif";
        color:#1F497D;}
.MsoChpDefault
        {mso-style-type:export-only;
        font-size:10.0pt;
        font-family:"Calibri","sans-serif";}
@page WordSection1
        {size:8.5in 11.0in;
        margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
        {page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
      <div class="WordSection1">
        <p>Isn't the skin in the game from insurers to ensure that they
          can find as many ways as possible to disqualify the policy,
          rather than actually secure the insured?<o:p></o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>Yes
            of course and if anyone has ever had the pleasure of filing
            a home insurance claim after a disaster, you quickly learn
            that it pays to hire your own insurance “advocate” who will
            work on your behalf to get the most from the insurance
            company.<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p>Indeed, in the history of events that have done the most to
          undermine the faith in the CA ecosystem, they have been
          systemic issues that any insurance agency - especially when
          looking at large scale liability as proposed by 141 - would
          seek to use to disqualify the policy and reject the claim.<o:p></o:p></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">>>I
            don’t disagree with this but shouldn’t we be looking at not
            just “Diginotar type” events? There are a broad spectrum of
            events that insurance can cover as well as things they
            explicitly do not cover (just look at your homeowners
            policy). <o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Perhaps
            a better solution is to do what we did with the CAA ballot.
            Mandate that the CA disclose its coverage in the CPS. If
            they don’t have any, just say so. A cert buyer (or relying
            party) can make a decision based on that. (Thanks to Ben for
            suggesting that to me!)<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean<o:p></o:p></span></p>
        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
        <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
            Ryan Sleevi [<a moz-do-not-send="true"
              href="mailto:sleevi@google.com">mailto:sleevi@google.com</a>]
            <br>
            <b>Sent:</b> Thursday, December 18, 2014 6:51 PM<br>
            <b>To:</b> Phillip<br>
            <b>Cc:</b> CABFPub; Dean Coclin<br>
            <b>Subject:</b> Re: [cabfpub] Breach Insurance<o:p></o:p></span></p>
        <p class="MsoNormal"><o:p> </o:p></p>
        <p>Isn't the skin in the game from insurers to ensure that they
          can find as many ways as possible to disqualify the policy,
          rather than actually secure the insured?<o:p></o:p></p>
        <p>After all, the article shows that the Cyberbreach insurance
          Target had was "useless", in as much as the claims were
          disqualified because of actions of the insured. This is
          exactly what we saw of DigiNotar as well - the insurance claim
          was denied because of actions of DigiNotar.<o:p></o:p></p>
        <p>Indeed, in the history of events that have done the most to
          undermine the faith in the CA ecosystem, they have been
          systemic issues that any insurance agency - especially when
          looking at large scale liability as proposed by 141 - would
          seek to use to disqualify the policy and reject the claim.<o:p></o:p></p>
        <div>
          <p class="MsoNormal">On Dec 18, 2014 3:36 PM, "Phillip
            Hallam-Baker" <<a moz-do-not-send="true"
              href="mailto:philliph@comodo.com">philliph@comodo.com</a>>
            wrote:<o:p></o:p></p>
          <div>
            <p class="MsoNormal">I don’t particularly mind what type of
              insurance it is, provided that it means that the
              activities of the CA are going to be overseen by some
              party who would have skin in the game in the case of a
              breach.<o:p></o:p></p>
            <div>
              <p class="MsoNormal"><o:p> </o:p></p>
            </div>
            <div>
              <p class="MsoNormal">Audits are fine but the auditors
                don’t have skin in the game. <o:p></o:p></p>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
              <div>
                <p class="MsoNormal"><o:p> </o:p></p>
                <div>
                  <div>
                    <p class="MsoNormal">On Dec 18, 2014, at 6:24 PM,
                      Dean Coclin <<a moz-do-not-send="true"
                        href="mailto:Dean_Coclin@symantec.com"
                        target="_blank">Dean_Coclin@symantec.com</a>>
                      wrote:<o:p></o:p></p>
                  </div>
                  <p class="MsoNormal"><br>
                    <br>
                    <o:p></o:p></p>
                  <div>
                    <div>
                      <div>
                        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Thanks
                            Ben. I’m assuming you are posting this with
                            regards to the recent insurance debate.
                            Although I was initially opposed to dropping
                            the EV Insurance requirement, my thinking
                            has changed as others have posted facts
                            about the type of insurance that the EVGL
                            require and appropriateness to its intended
                            use. Symantec’s current position would be in
                            favor of ballot 142 (Gerv’s elimination
                            ballot). The article you linked to below
                            seems to favor a different type of insurance
                            than what we currently require. Are you
                            thinking of proposing a change to the
                            insurance type (i.e.
                            Cyberbreach/cyberliability insurance)?</span><o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Dean</span><o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"> </span><o:p></o:p></p>
                      </div>
                      <div>
                        <div style="border:none;border-top:solid #B5C4DF
                          1.0pt;padding:3.0pt 0in 0in 0in">
                          <div>
                            <p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif""> </span><a
                                moz-do-not-send="true"
                                href="mailto:public-bounces@cabforum.org"
                                target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">
                                [</span><a moz-do-not-send="true"
                                href="mailto:public-bounces@cabforum.org"
                                target="_blank"><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">mailto:public-bounces@cabforum.org</span></a><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif"">] <b>On
                                  Behalf Of </b>Ben Wilson<br>
                                <b>Sent:</b> Thursday, December 18, 2014
                                10:42 AM<br>
                                <b>To:</b> CABFPub<br>
                                <b>Subject:</b> [cabfpub] Breach
                                Insurance</span><o:p></o:p></p>
                          </div>
                        </div>
                      </div>
                      <div>
                        <p class="MsoNormal"> <o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif"">Received
                            this in my email today:</span><o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif""> </span><o:p></o:p></p>
                      </div>
                      <div>
                        <p class="MsoNormal"><a moz-do-not-send="true"
href="http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/"
                            target="_blank"><span
style="font-size:11.0pt;font-family:"Arial","sans-serif";color:windowtext">http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/</span></a><o:p></o:p></p>
                      </div>
                      <p><span
                          style="font-family:"Arial","sans-serif"">Cheers,</span><o:p></o:p></p>
                      <p><span
style="font-size:11.0pt;font-family:"Arial","sans-serif"">Ben</span><o:p></o:p></p>
                    </div>
                    <p class="MsoNormal"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">_______________________________________________<br>
                        Public mailing list<br>
                      </span><a moz-do-not-send="true"
                        href="mailto:Public@cabforum.org"
                        target="_blank"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">Public@cabforum.org</span></a><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif""><br>
                      </span><a moz-do-not-send="true"
                        href="https://cabforum.org/mailman/listinfo/public"
                        target="_blank"><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif"">https://cabforum.org/mailman/listinfo/public</span></a><span
style="font-size:13.5pt;font-family:"Helvetica","sans-serif""><o:p></o:p></span></p>
                  </div>
                </div>
                <p class="MsoNormal"><o:p> </o:p></p>
              </div>
            </div>
          </div>
          <p class="MsoNormal" style="margin-bottom:12.0pt"><br>
            _______________________________________________<br>
            Public mailing list<br>
            <a moz-do-not-send="true" href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
            <a moz-do-not-send="true"
              href="https://cabforum.org/mailman/listinfo/public"
              target="_blank">https://cabforum.org/mailman/listinfo/public</a><o:p></o:p></p>
        </div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Public mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Public@cabforum.org">Public@cabforum.org</a>
<a class="moz-txt-link-freetext" href="https://cabforum.org/mailman/listinfo/public">https://cabforum.org/mailman/listinfo/public</a>
</pre>
    </blockquote>
    <br>
  </body>
</html>