[cabfpub] Breach Insurance

Moudrick M. Dadashov md at ssc.lt
Fri Dec 19 15:37:10 UTC 2014


+1

add to this business continuity, termination, archived data preservation 
requirements and we'll have a clear answer why ant what kind of 
insurance we need.

Thanks,
M.D.

On 12/19/2014 5:16 PM, Dean Coclin wrote:
>
> Isn't the skin in the game from insurers to ensure that they can find 
> as many ways as possible to disqualify the policy, rather than 
> actually secure the insured?
>
> >>Yes of course and if anyone has ever had the pleasure of filing a home 
> insurance claim after a disaster, you quickly learn that it pays to 
> hire your own insurance “advocate” who will work on your behalf to get 
> the most from the insurance company.
>
> Indeed, in the history of events that have done the most to undermine 
> the faith in the CA ecosystem, they have been systemic issues that any 
> insurance agency - especially when looking at large scale liability as 
> proposed by 141 - would seek to use to disqualify the policy and 
> reject the claim.
>
> >>I don’t disagree with this but shouldn’t we be looking at not just 
> “Diginotar type” events? There are a broad spectrum of events that 
> insurance can cover as well as things they explicitly do not cover 
> (just look at your homeowners policy).
>
> Perhaps a better solution is to do what we did with the CAA ballot. 
> Mandate that the CA disclose its coverage in the CPS. If they don’t 
> have any, just say so. A cert buyer (or relying party) can make a 
> decision based on that. (Thanks to Ben for suggesting that to me!)
>
> Dean
>
> *From:*Ryan Sleevi [mailto:sleevi at google.com]
> *Sent:* Thursday, December 18, 2014 6:51 PM
> *To:* Phillip
> *Cc:* CABFPub; Dean Coclin
> *Subject:* Re: [cabfpub] Breach Insurance
>
> Isn't the skin in the game from insurers to ensure that they can find 
> as many ways as possible to disqualify the policy, rather than 
> actually secure the insured?
>
> After all, the article shows that the Cyberbreach insurance Target had 
> was "useless", in as much as the claims were disqualified because of 
> actions of the insured. This is exactly what we saw of DigiNotar as 
> well - the insurance claim was denied because of actions of DigiNotar.
>
> Indeed, in the history of events that have done the most to undermine 
> the faith in the CA ecosystem, they have been systemic issues that any 
> insurance agency - especially when looking at large scale liability as 
> proposed by 141 - would seek to use to disqualify the policy and 
> reject the claim.
>
> On Dec 18, 2014 3:36 PM, "Phillip Hallam-Baker" <philliph at comodo.com 
> <mailto:philliph at comodo.com>> wrote:
>
> I don’t particularly mind what type of insurance it is, provided that 
> it means that the activities of the CA are going to be overseen by 
> some party who would have skin in the game in the case of a breach.
>
> Audits are fine but the auditors don’t have skin in the game.
>
> On Dec 18, 2014, at 6:24 PM, Dean Coclin <Dean_Coclin at symantec.com 
> <mailto:Dean_Coclin at symantec.com>> wrote:
>
>
>
> Thanks Ben. I’m assuming you are posting this with regards to the 
> recent insurance debate. Although I was initially opposed to dropping 
> the EV Insurance requirement, my thinking has changed as others have 
> posted facts about the type of insurance that the EVGL require and 
> appropriateness to its intended use. Symantec’s current position would 
> be in favor of ballot 142 (Gerv’s elimination ballot). The article you 
> linked to below seems to favor a different type of insurance than what 
> we currently require. Are you thinking of proposing a change to the 
> insurance type (i.e. Cyberbreach/cyberliability insurance)?
>
> Dean
>
> *From:*public-bounces at cabforum.org 
> <mailto:public-bounces at cabforum.org>[mailto:public-bounces at cabforum.org] 
> *On Behalf Of *Ben Wilson
> *Sent:* Thursday, December 18, 2014 10:42 AM
> *To:* CABFPub
> *Subject:* [cabfpub] Breach Insurance
>
> Received this in my email today:
>
> http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance-target/20011477/
>
> Cheers,
>
> Ben
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org <mailto:Public at cabforum.org>
> https://cabforum.org/mailman/listinfo/public
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141219/b9e0a38e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3653 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141219/b9e0a38e/attachment-0001.p7s>


More information about the Public mailing list