[cabfpub] Breach Insurance

Ben Wilson ben.wilson at digicert.com
Fri Dec 19 16:32:02 UTC 2014


The BRs could state something along the lines of "CAs MUST disclose in
section 9.2 of their CP/CPS (per RFC 3647)  whether it maintains insurance
coverage for its liabilities to third parties and, if so, the amount."  

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Moudrick M. Dadashov
Sent: Friday, December 19, 2014 8:37 AM
To: Dean Coclin; Ryan Sleevi; Phillip
Cc: CABFPub
Subject: Re: [cabfpub] Breach Insurance

 

+1

add to this business continuity, termination, archived data preservation
requirements and we'll have a clear answer why ant what kind of insurance we
need.

Thanks,
M.D.   

On 12/19/2014 5:16 PM, Dean Coclin wrote:

Isn't the skin in the game from insurers to ensure that they can find as
many ways as possible to disqualify the policy, rather than actually secure
the insured?

>>Yes of course and if anyone has ever had the pleasure of filing a home
insurance claim after a disaster, you quickly learn that it pays to hire
your own insurance "advocate" who will work on your behalf to get the most
from the insurance company.

 

Indeed, in the history of events that have done the most to undermine the
faith in the CA ecosystem, they have been systemic issues that any insurance
agency - especially when looking at large scale liability as proposed by 141
- would seek to use to disqualify the policy and reject the claim.

>>I don't disagree with this but shouldn't we be looking at not just
"Diginotar type" events? There are a broad spectrum of events that insurance
can cover as well as things they explicitly do not cover (just look at your
homeowners policy). 

 

Perhaps a better solution is to do what we did with the CAA ballot. Mandate
that the CA disclose its coverage in the CPS. If they don't have any, just
say so. A cert buyer (or relying party) can make a decision based on that.
(Thanks to Ben for suggesting that to me!)

 

 

Dean

 

From: Ryan Sleevi [ <mailto:sleevi at google.com> mailto:sleevi at google.com] 
Sent: Thursday, December 18, 2014 6:51 PM
To: Phillip
Cc: CABFPub; Dean Coclin
Subject: Re: [cabfpub] Breach Insurance

 

Isn't the skin in the game from insurers to ensure that they can find as
many ways as possible to disqualify the policy, rather than actually secure
the insured?

After all, the article shows that the Cyberbreach insurance Target had was
"useless", in as much as the claims were disqualified because of actions of
the insured. This is exactly what we saw of DigiNotar as well - the
insurance claim was denied because of actions of DigiNotar.

Indeed, in the history of events that have done the most to undermine the
faith in the CA ecosystem, they have been systemic issues that any insurance
agency - especially when looking at large scale liability as proposed by 141
- would seek to use to disqualify the policy and reject the claim.

On Dec 18, 2014 3:36 PM, "Phillip Hallam-Baker" <philliph at comodo.com
<mailto:philliph at comodo.com> > wrote:

I don't particularly mind what type of insurance it is, provided that it
means that the activities of the CA are going to be overseen by some party
who would have skin in the game in the case of a breach.

 

Audits are fine but the auditors don't have skin in the game. 

 

 

On Dec 18, 2014, at 6:24 PM, Dean Coclin <Dean_Coclin at symantec.com
<mailto:Dean_Coclin at symantec.com> > wrote:






Thanks Ben. I'm assuming you are posting this with regards to the recent
insurance debate. Although I was initially opposed to dropping the EV
Insurance requirement, my thinking has changed as others have posted facts
about the type of insurance that the EVGL require and appropriateness to its
intended use. Symantec's current position would be in favor of ballot 142
(Gerv's elimination ballot). The article you linked to below seems to favor
a different type of insurance than what we currently require. Are you
thinking of proposing a change to the insurance type (i.e.
Cyberbreach/cyberliability insurance)?

 

Dean

 

From:  <mailto:public-bounces at cabforum.org> public-bounces at cabforum.org [
<mailto:public-bounces at cabforum.org> mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Thursday, December 18, 2014 10:42 AM
To: CABFPub
Subject: [cabfpub] Breach Insurance

 

Received this in my email today:

 

 
<http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insuranc
e-target/20011477/>
http://www.usatoday.com/story/tech/2014/12/09/security-data-breach-insurance
-target/20011477/

Cheers,

Ben

_______________________________________________
Public mailing list
 <mailto:Public at cabforum.org> Public at cabforum.org
 <https://cabforum.org/mailman/listinfo/public>
https://cabforum.org/mailman/listinfo/public

 


_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public






_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org> 
https://cabforum.org/mailman/listinfo/public

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141219/7dc5df9b/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141219/7dc5df9b/attachment-0001.p7s>


More information about the Public mailing list