[cabfpub] Breach Insurance

Ben Wilson ben.wilson at digicert.com
Tue Dec 23 17:22:01 UTC 2014

At least one opponent to the previous ballot on this matter has expressed his belief that insurers do not pay claims.  

I'd like to counter that argument with this report from NetDiligence - http://www.netdiligence.com/files/CyberClaimsStudy-2013.pdf.   According to NetDiligence's study of incidents that occurred between 2010 and 2012, as of last year when the report was prepared, 145 data breach claims had been filed.  One hundred forty (140) of those were for data loss exposure (third party) and five (5) were for business interruption (1st party).  Of the 140 third-party claims, $84 million had been paid  out on 88 of them.  Thus, about 37% had not been paid (for whatever reason), while nearly 63% had been paid.  The average payout was $1 million with a range of $2,500 to $20 million (the full amount of that claim). p.3.   Higher claims and payouts were generally for larger companies (capitalization > $2B), and vice versa.  p.20 -21.

As e-commerce continues to grow, and as more breaches, claims, lawsuits, negligence findings, judgments, court opinions, and damage awards do, too, cyber liability and data breach coverage is an area we need to follow.

-----Original Message-----
From: i-barreira at izenpe.net [mailto:i-barreira at izenpe.net] 
Sent: Tuesday, December 23, 2014 8:34 AM
To: md at ssc.lt; gerv at mozilla.org; S.Davidson at quovadisglobal.com; Ben Wilson; Dean_Coclin at symantec.com; public at cabforum.org
Subject: RE: [cabfpub] Breach Insurance


There´s a defined qualified certificate for web sites that can or cannot be typed "EV". It´s up to the CA to decide but in any case being a qualified one, will have to comply with the liability and insurance requirements set in the regulation according to every national law, so at the end, the majority of the European CAs must have an insurance (the quantity is less important but more or less are very similar in every country, we can collect some info around it) to issue these type of EVs even the CABF removes the requirement.
I´m not saying not dropping the requirement, just that some of us will need to still paying an insurance for issuing SSL EV certs.

Regarding ETSI, this is taken into account because of the regulation for those "qualified" ones.

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

-----Mensaje original-----
De: Moudrick M. Dadashov [mailto:md at ssc.lt] Enviado el: lunes, 22 de diciembre de 2014 19:09
Para: Gervase Markham; Stephen Davidson; Ben Wilson; Barreira Iglesias, Iñigo; Dean_Coclin at symantec.com; public at cabforum.org
Asunto: Re: [cabfpub] Breach Insurance

Sorry for  confusion, Gerv, I was responding to Stephen's skepticism.

In regard to Qualified SSL Arno an Inigo know this better but I don't expect any significant shift even if someday today's EVCP becomes Qualified SSL. If they declare it is equal to EV SSL that means all EVG requirements apply without any exceptions. However this doesn't prevent them to have extra requirements for Qualified SSL.


On 12/22/2014 7:25 PM, Gervase Markham wrote:
> On 22/12/14 17:05, Moudrick M. Dadashov wrote:
>> I'm afraid this is not an accurate assumption, actually the auditors 
>> require ***full*** EVG compliance.
> I'm afraid I don't understand your point.
> I am saying that if I decide to have "Gerv EV", which requires all CAs 
> implementing it to change their logos to include a picture of a 
> banana, then there is no requirement whatsoever for the CAB Forum to 
> update the EV Guidelines to make the banana thing a requirement for 
> all CAs. That remains true even if (say) over half of the CAs in the 
> forum choose to implement Gerv EV and so implement the banana-logo requirement.
> What I do (or anyone else does) with CAB Forum standards, external to 
> the CAB Forum, cannot force the CAB Forum's hand about what it should do.
> Does that make sense?
> Gerv
>> On 12/22/2014 6:46 PM, Gervase Markham wrote:
>>> On 22/12/14 16:34, Stephen Davidson wrote:
>>>> An observation that may or may not sway your opinion:  the goal of 
>>>> EV was to create uniform requirements across CAs, and this proposal 
>>>> will introduce variation. As I understand it, the "qualified SSL" 
>>>> under eIDAS are likely to be based on EV.  Thus, a "qualified EV" 
>>>> would have an insurance level that "normal EV" may not have.
>>> If other people want to build standards on EV, we aren't going to 
>>> stop them. But if they add additional requirements, we can't let 
>>> that force us to add those requirements also - because otherwise, 
>>> everyone else would be making the CAB Forum's decisions for us.
>>> Gerv
>>> _______________________________________________
>>> Public mailing list
>>> Public at cabforum.org
>>> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4954 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20141223/838734e5/attachment-0001.p7s>

More information about the Public mailing list