[cabfpub] Ballot 121 (insurance)

Ben Wilson ben at digicert.com
Tue Jul 15 07:54:27 MST 2014 

All,

 

I just spoke with an insurance expert in London.  She said that for purposes
of obtaining insurance internationally, we should use generic terms in our
insurance requirements under 8.4.  

 

For (A), she suggested that we just say something like “casualty insurance
sufficient to cover CA system damage or loss due to fire, water, electrical
failure, or natural disaster, and including, if reasonably available, data
loss due to IT security failure.”  (Whether we require insurance for data
loss or security breach is something we can debate further.)

 

For (B), we should just say something like “third party coverage in the
amount of at least _____ covering financial loss to EV Certificate
Beneficiaries and/or Relying parties arising out of the CA’s negligent act,
error, or omission in the performance of technology services under these
Guidelines.”  

 

I think this puts us few steps closer to a resolution of this issue.   Now,
if we can agree on a financial amount for (B).  What about 2 million Euros
under (B)?  Discussion?

 

Thanks,

 

Ben

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of i-barreira at izenpe.net
Sent: Thursday, July 10, 2014 12:29 AM
To: ben at digicert.com; arno.fiedler at nimbus-berlin.com; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)

 

I personally, between both, prefer the first one. Including rating agencies
like Standard&Poors, Fitch, etc. it´s worse than the A rating. I had no
problems to find an insurer with that qualification in Spain (in fact I´ve
changed 3 times my insurance company from Lloyd´s to Chubb and now to CFC
underwriting)

 

 

Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net

945067705

 

Descripción: cid:image001.png at 01CE3152.B4804EB0

ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se
pusiese en contacto con el remitente.

 

De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En
nombre de Ben Wilson
Enviado el: miércoles, 09 de julio de 2014 20:39
Para: arno.fiedler at nimbus-berlin.com; public at cabforum.org
Asunto: Re: [cabfpub] Ballot 121 (insurance)

 

Arno,

What if it said, “MUST be an insurer rated with a financial strength
indicating an excellent ability to meet its ongoing insurance obligations by
Standard & Poor’s, A.M. Best, Fitch, Moody’s, DBRS, Japan Credit Rating
Agency, Creditreform, Scope Ratings, or a similarly recognized rating
agency"?

Cheers,

Ben

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Wednesday, July 9, 2014 10:15 AM
To: arno.fiedler at nimbus-berlin.com; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)

 

Thanks, Arno.  I’ll revise and resubmit.

 

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Arno Fiedler
Sent: Wednesday, July 9, 2014 6:05 AM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)

 

Hello,
it sounds very US-centric and very detailed, "MUST be with a company rated
no less than A- as to Policy Holder’s Rating in the current edition of
Best’s Insurance Guide" seems to be not applicable for "Rest of World." 
Best regards
arno


Am 08.07.2014 17:04, schrieb Ben Wilson:

All,

Based on feedback received so far from several international cyber insurance
experts, here is a current iteration for revisions to Section 8.4 of the EV
Guidelines (redlined PDF attached).  

This is only for the EV Guidelines and would apply to CAs desiring to issue
Extended Validation Certificates. 

This wording may be further refined based upon your input to Jeremy’s
question and as any other information from insurance experts comes in.  

Please check with your insurance brokers to confirm that you either already
have these coverages or that these can be obtained by your company at
reasonable cost.

Thanks,

Ben

 


8.4.Insurance 


Effective _______, each CA SHALL continuously maintain the following
insurance related to its performance and obligations under these Guidelines:

(A) insurance covering damages to systems, data, or software and for
business interruptions due to natural disaster, fire, IT security failure,
malware, cyber attack / criminal hacker, or theft, in the amount of at least
two million US dollars ($2 million) in coverage; and 

(B) Technology Errors and Omissions insurance, with policy limits of at
least five million US dollars ($5,000,000 per claim and in the aggregate)
covering financial damages to third parties arising out of a negligent act,
error, or omission in the performance of technology services under these
Guidelines with coverage to be kept in place for all periods during which an
EV Certificate issued by the CA is still valid. If coverage is non-renewed
or canceled, the CA shall purchase extended reporting period coverage for at
least a two-year period. Territory of coverage shall be global, except for
countries sanctioned by the United States or the European Union. 

Such insurance must not exclude coverage when providing public key
infrastructure services and MUST be with a company rated no less than A- as
to Policy Holder’s Rating in the current edition of Best’s Insurance Guide
(or with an association of companies each of the members of which are so
rated). 

A CA MAY self-insure for liabilities that arise from such party's
performance and obligations under these Guidelines provided that it has at
least five hundred million US dollars in liquid assets based on audited
financial statements in the past twelve months, and a quick ratio (ratio of
liquid assets to current liabilities) of not less than 1.0. 

 

 

 

-- 
Arno Fiedler
Nimbus Technologieberatung GmbH
Reichensteiner Weg 17
14195 Berlin
Mobil:      0049-(0)172-3053272
Fax:        0049-(0)30-89745-777
E-Mail:     arno.fiedler at nimbus-berlin.com
Web:        www.nimbus-berlin.com
Geschäftsführer:  Arno Fiedler
USt-IdNr. :       DE 203 269 920
D-U-N-S® Nr.      50-730-8117
HandelsregisterNr:HRB 109409 B
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20140715/8aa17a7a/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 19121 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140715/8aa17a7a/attachment-0001.png 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20140715/8aa17a7a/attachment-0001.bin

More information about the Public mailing list