[cabfpub] Ballot 121 (insurance)
Ben Wilson
ben at digicert.com
Tue Jul 8 15:04:59 UTC 2014
All,
Based on feedback received so far from several international cyber insurance
experts, here is a current iteration for revisions to Section 8.4 of the EV
Guidelines (redlined PDF attached).
This is only for the EV Guidelines and would apply to CAs desiring to issue
Extended Validation Certificates.
This wording may be further refined based upon your input to Jeremys
question and as any other information from insurance experts comes in.
Please check with your insurance brokers to confirm that you either already
have these coverages or that these can be obtained by your company at
reasonable cost.
Thanks,
Ben
8.4.Insurance
Effective _______, each CA SHALL continuously maintain the following
insurance related to its performance and obligations under these Guidelines:
(A) insurance covering damages to systems, data, or software and for
business interruptions due to natural disaster, fire, IT security failure,
malware, cyber attack / criminal hacker, or theft, in the amount of at least
two million US dollars ($2 million) in coverage; and
(B) Technology Errors and Omissions insurance, with policy limits of at
least five million US dollars ($5,000,000 per claim and in the aggregate)
covering financial damages to third parties arising out of a negligent act,
error, or omission in the performance of technology services under these
Guidelines with coverage to be kept in place for all periods during which an
EV Certificate issued by the CA is still valid. If coverage is non-renewed
or canceled, the CA shall purchase extended reporting period coverage for at
least a two-year period. Territory of coverage shall be global, except for
countries sanctioned by the United States or the European Union.
Such insurance must not exclude coverage when providing public key
infrastructure services and MUST be with a company rated no less than A- as
to Policy Holders Rating in the current edition of Bests Insurance Guide
(or with an association of companies each of the members of which are so
rated).
A CA MAY self-insure for liabilities that arise from such party's
performance and obligations under these Guidelines provided that it has at
least five hundred million US dollars in liquid assets based on audited
financial statements in the past twelve months, and a quick ratio (ratio of
liquid assets to current liabilities) of not less than 1.0.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Tuesday, June 17, 2014 7:18 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)
In order to investigate this issue further, I propose that we send the
following to these insurance companies and others (including your own
insurers and brokers):
Subject: Request for Information: Insurance Requirements for Certification
Authorities (CAs)
Dear Insurer/Insurance Broker:
The CA / Browser Forum (cabforum.org) will be replacing the insurance
requirements of Section 8.4 of the EV Guidelines (Guidelines for the
Issuance and Management of Extended Validation Certificates,
https://cabforum.org/extended-validation/).
The Forum would like to ensure the financial stability of CAs in the event
of a data breach as well as provide the best type of coverage for loss to
third parties attributable to a CAs negligent implementation of security.
The Forum would like to know about occurrences/claims-made coverage most
likely to cover incidents similar to the 2011 Diginotar security breach and
which minimizes litigation, to the extent possible.
For purposes of making this policy requirement global in nature (for
insureds and third parties located throughout the world), please respond to
the following question by email sent to questions at cabforum.org:
What are the most succinct but inclusive ways to express that such policy:
A. Can be obtained and will have coverage globally (e.g.
universal, global, worldwide, etc.);
B. Covers claims occurring, made, and/or reported during the
policy period;
C. Provides third-party coverage desired by members of the
CA/Browser Forum (e.g. Internet Professional Services Liability,
Cyberliability, Technology Errors and Omissions, etc.); and
D. Addresses other aspects that may be important to us?
Thanks.
Sincerely yours,
Ben Wilson,
CA/Browser Forum Chair
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Tuesday, June 10, 2014 7:20 PM
To: 'Rick Andrews'; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)
Thanks, Rick. For any CA looking into cyber insurance coverage, here are
some lists of nominees for best insurers and advisors (from an announcement
I received about an upcoming industry event).
Cyber Risk Experts
* Rick Bortnick of Christie Parabue and Young
* Matthew Clarke of AIG Australia
* Nick Economidis of Beazley
* Emily Freeman of Lockton
* Mark Greisiger of NetDiligence
* Steve Haase of INSUREtrust
* Toby Merrill of ACE
* John Mullen of Lewis Brisbois Bisgaard & Smith
* Bob Parisi of Marsh
Best Cyber Incident Response
* AIG
* AllClear ID
* BakerHostetler
* Beazley
* Identity Theft 911
* Lewis Brisbois
* Mandiant
Best Internal Cyber Risk Analysis
* AIG
* Experian
* Kroll
* Liberty International Underwriters
* Privacy Professionals
* RPS Technology & Cyber
* Verizon
* Willis
* XL Group
* Zurich
Best New Cyber Risk Innovation
* ACE (Sidecar with data breach outside limits)
* AIG (CyberEdge iPad app)
* Privacy Professionals (Pre-event loss mitigation tool)
* Risk Based Security (YourCISO risk management portal)
* BitSight (Security ratings)
* Willis (PRISM)
Best Cyber Risk Brokers
* Aon
* Lockton
* Marsh
* RPS Technology & Cyber
* Wells Fargo
* Willis
Best Cyber Risk Insurers
* ACE
* AIG
* Beazley
* CFC Underwriting
* Liberty International Underwriters
* Philadelphia
* XL
* Zurich
Ben
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Rick Andrews
Sent: Monday, June 9, 2014 1:50 PM
To: public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)
A Timely article (pun intended):
Cyberattack Insurance a Challenge for Business
<http://p.nytimes.com/email/re?location=InCMR7g4BCKC2wiZPkcVUkfBKD0WxM+9&use
r_id=c619a85212e2206d7323c9ed8f4e42e9&email_type=eta&task_id=140234273991413
3®i_id=0> http://nyti.ms/1oLGfqR
-Rick
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Thursday, June 05, 2014 5:55 AM
To: 'Moudrick M. Dadashov'; i-barreira at izenpe.net; kirk_hall at trendmicro.com;
gerv at mozilla.org; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)
Thanks. Lets keep this discussion moving toward an amendment that provides
a more reasonable, but objective, uniform, and auditable standard to be
applied and implemented globally to address cyber risks and reduce potential
loss to third parties. Ive found about 100 academic papers that mention
cyber insurance and about 200 web pages in the .com space that discuss cyber
coverage. Im sifting through those now. Im happy to make them available
to anyone who wants to participate in this review.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Moudrick M. Dadashov
Sent: Thursday, June 5, 2014 4:43 AM
To: Ben Wilson; i-barreira at izenpe.net; kirk_hall at trendmicro.com;
gerv at mozilla.org; public at cabforum.org
Subject: Re: [cabfpub] Ballot 121 (insurance)
Hi,
looks like we are not alone on this planet:
http://www.tripwire.com/state-of-security/featured/who-should-insure-the-nat
ions-critical-infrastructure/
Is EV SSL issuance a part of NCI?
Thanks,
M.D.
On 6/3/2014 4:43 AM, Ben Wilson wrote:
Thanks, Moudrick, Kirk and Iñigo,
For those who haven't looked up this ETSI document, Section 7.5 says, "(d)
Adequate arrangements to cover liabilities arising from its operations
and/or activities; (e) Financial stability and resources required to operate
in conformity with this policy; and (f) Policies and procedures for the
resolution of complaints and disputes received from customers or other
parties about the provisioning of electronic trust services." This appears
to be based, somewhat, on the liability structure set up in Art.6 of of EU
Directive 1999/93/EC and subsection (h) of Annex II,
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:31999L0093, the
latter of which reads, (h) maintain sufficient financial resources to
operate in conformity with the requirements laid down in the Directive, in
particular to bear the risk of liability for damages, for example, by
obtaining appropriate insurance;
CAs are supposed to address their responsibility under Art. 6. This can be
written in their CP/CPS either under Section 2.3 (RFC 2527) or Section 9.2
(RFC 3647) -- maybe more explicit requirements in the BRs are needed about
what must be written in those sections? Also, I see that "risk" is noted in
Annex II, but not in section 7.5 (too hard to audit?), an insurance or
financial stability requirement is a much easier way to address risks to
third parties than other methods, and it more fairly distributes the loss
potential. See e.g.
http://www.egov.ufsc.br/portal/sites/default/files/anexos/27548-27558-1-PB.p
df
According to
http://www.law.uni-sofia.bg/Kat/T/IP/T/ES/DocLib/The%20Legal%20and%20Market%
20Aspects%20of%20Electronic%20Signatures.pdf
most EU countries have simply copied this text from Annex II into their own
laws without further requirements. However, some, like Spain, have set
forth specific insurance amounts for " Cobertura de seguro u otras garantías
para los terceros de buena fe cuando incumpla las obligaciones que impone la
Ley 59/2003, de 19 de diciembre, de Firma Electrónica" - from what I can
tell, the amount is 3 million Euros.
http://www.boe.es/boe/dias/2003/12/20/pdfs/A45329-45343.pdf So, in order
to be more fair to non-US CAs, what about that 3-million-Euro amount instead
that just said "third party cyber coverage"? (I have Betterley's 2014 Cyber
Insurance Report that I can use to create a definition of "third party cyber
coverage".) Given the facts above, I can't see any reason to replace our
objective rule with something as subjective as "adequate arrangements" or
"sufficient financial resources," which are subjective and impossible to
audit, let alone eliminate it altogether.
Financial stability is a key component of being a CA, especially one that
issues Extended Validation certificates. It certainly seems that any
European CA wanting to issue the "qualified website" equivalent of an EV
certificate will have to meet Art 6 / Annex II requirements in any event.
Also, we require insurance for banks and automobile owners/drivers. Not for
first-party coverage, but for third-party coverage--we do not want innocent
third parties left holding the bag--it's what economists call "negative
externality". Banks, for example, have great security, but they also have
to handle the risk that all of that security won't protect against
everything--nothing works perfectly 100%. Banks are required by regulators
to have financial reserves, deposit insurance, and other risk-mitigating
processes. See http://edoc.ub.uni-muenchen.de/5628/1/Mikkonen_Katri.pdf
Under the EU Directive on capital adequacy of investment
firms and credit
institutions, this means coverage of EUR 20 000 for each depositor, minimum
start-up-capital of EUR 5 million, and then ongoing solvency ratios per
Basel requirements.
Ben
On 6/2/2014 1:40 AM, i-barreira at izenpe.net wrote:
Hi,
The TS 102 042 is the one for EV and BR certs and also indicates in 7.5 what
Mou has stated.
This control was included to let the CA to set the requirements
appropriate to its needs and according to national legislation.
Regards
Iñigo Barreira
Responsable del Área técnica
i-barreira at izenpe.net
945067705
Descripción: cid:image001.png at 01CE3152.B4804EB0
ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta egotea.
Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea gaizki
idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi erantzuna.
KONTUZ!
ATENCION! Este mensaje contiene informacion privilegiada o confidencial a la
que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
error le agradeceriamos que no hiciera uso de la informacion y que se
pusiese en contacto con el remitente.
De: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] En
nombre de Moudrick M. Dadashov
Enviado el: sábado, 31 de mayo de 2014 2:30
Para: ben at digicert.com; kirk_hall at trendmicro.com; 'Gervase Markham'; 'public
>> CABFPub'
Asunto: Re: [cabfpub] Ballot 121 (insurance)
On 5/31/2014 2:46 AM, Ben Wilson wrote:
Do you have a proposal that addresses the concerns about financial
stability?
Please see ETSI TS 101 456 V1.4.3 section 7.5 specifically points d), e) and
f) - IMO they are close to what you are looking for.
As a standardization body ETSI doesn't set its requirements in terms of
absolute amounts, this is left to implementers - in this case to MS
Governments.
FYI:
http://www.etsi.org/deliver/etsi_ts/101400_101499/101456/01.04.03_60/ts_1014
56v010403p.pdf
Given the fact that EVG is incorporated into ETSI "as is", I see potential
conflict between the two approaches.
Thanks.
M.D.
-----Original Message-----
From: kirk_hall at trendmicro.com [mailto:kirk_hall at trendmicro.com]
Sent: Friday, May 30, 2014 5:20 PM
To: ben at digicert.com; 'Gervase Markham'; 'public >> CABFPub'
Subject: RE: [cabfpub] Ballot 121 (insurance)
Ben -- as I indicated to the EV Working Group in an email recently, I have
definitely changed my mind about the EVGL insurance requirement based on my
own experience in starting AffirmTrust in 2010. (As a reminder to all,
AffirmTrust was acquired by Trend Micro in 2011, and Trend is big enough and
has a strong enough balance sheet and treasury that under the EVGL we are
entirely exempt from the insurance requirements -- so we have no personal
stake in this.)
While starting my own company, the insurance brokers kept asking me why I
wanted the insurance coverages -- they clearly didn't think I needed them --
and they warned me that the E&O coverage in particular probably wasn't going
to provide me with any meaningful protection for anything (given that it
generally doesn't cover contractual liability for a bad cert, return of
fees, etc.) So it felt like a very big waste of money.
Plus we now know from eight years of experience (plus the anecdotal evidence
of Trend Micro's legal counsel from his decade at VeriSign) that there
simply aren't claims from customers or relying parties for mis-issued certs
and that the need for insurance (even if it did cover the mis-issuance of EV
certs) is minimal at best. The one case of catastrophic failure and breach,
DigiNotar, apparently resulted in a court ruling that the insurer would be
allowed to deny all coverage.
When we collectively were brainstorming in 2005-6 to create the first EV
Guidelines, we were trying to come up with lots and lots of requirements to
try to set EV certs apart from other certs. As I recall, we considered even
more complex verification steps for EV to make it similar to the closing of
a major corporate transaction (e.g., getting Board of Directors
authorizations, Secretary's Certificates, etc.) -- fortunately, common sense
prevailed and we slimmed down the requirements so they are very thorough,
but achievable.
Finally, the Forum has learned through eight years of experience that these
insurance requirements are even harder and more expensive for
non-US/Canadian CAs to satisfy, and that their brokers also tell them the
coverages won't provide them with any meaningful protection. We don't want
the EV Guidelines to be weighted in favor of US/Canadian CAs.
The Forum hasn't hesitated from changing other EVGL requirements when we
think justified -- such as recently allowing the use of the automatic email
verification method to upgrade domains to the EV level (using the same
verification methods as for DV and OV certs). For the first seven years of
the EVGL, we were all required to do manual vetting of domains with a WhoIs
lookup and deal with any mis-match of the registration.
So for all these reasons, I think Gerv is right and it's time to drop the
insurance requirements. Let CAs follow any insurance requirements that
their applicable local jurisdiction(s) may impose, but otherwise don't
create an additional insurance requirement through the EV Guidelines.
Gerv, thanks for sharing your thoughtful and well informed opinion. It
really helps.
Kirk
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Ben Wilson
Sent: Friday, May 30, 2014 3:15 PM
To: 'Gervase Markham'; 'public >> CABFPub'
Subject: Re: [cabfpub] Ballot 121 (insurance)
Gerv and all,
If people want to save money, they can stick to issuing DV or OV
certificates. EV certificates need to remain different, and this proposed
move is contrary to the first goal we all agreed upon when we began working
on the guidelines for issuing Extended Validation Certificates, which my
notes indicates was to "increase online trust."
If the ballot is re-introduced and passes, then CAs will not be required to
have insurance for any negligence in issuing or maintaining EV Certificates.
It increases the likelihood that another Diginotar won't be held
accountable, and I believe the insurance is currently available at
affordable cost, approximately $10,000 per $1 million coverage. I have
attached a sample cyber-insurance policy, which is available in similar form
from any of top insurers internationally-- Zurich, ING, AIG, AXA, Allianz,
etc.
The reintroduction of Ballot 121 also reopens negotiations of 8 years ago,
which took place during 2006. For example, attached is Kirk Hall's memo to
the group from June 2006 in which he recommends "indemnity insurance
coverage (e.g. "errors and omissions," "cyber coverage," "network computer
liability," "professional liability," or other similar coverage) for
Extended Validation Certificates [in the amount of $10 million]."
Opponents of insurance requirements cannot simply erase these historical
choices without proposing viable alternatives. (It's always easier to
complain and to poke holes at things than to work on real solutions.) And
finally, if the EV Guidelines do not contain some form of financial
responsibility, then we might as well delete the Section 7 warranties, and
the other EV provisions to which they refer, because they will just become
empty promises.
Ben
-----Original Message-----
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On
Behalf Of Gervase Markham
Sent: Friday, May 30, 2014 12:41 PM
To: public >> CABFPub
Subject: [cabfpub] Ballot 121 (insurance)
I talked to our lawyer this morning. Mozilla is now willing to support the
proposal in Ballot 121 (removal of the insurance requirement from the EV
Guidelines).
We feel that this requirement provides no significant protection in practice
for either users, for whom CAs can limit liability to $2000 anyway, or for
browsers, for whom clause 18.2 which indemnifies them is much more relevant.
We encourage other CAs and browsers to support this ballot also, and let the
CAs put the $N,000 saved towards making their products better and/or cheaper
for users.
Gerv
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
<table class="TM_EMAIL_NOTICE"><tr><td><pre>
TREND MICRO EMAIL NOTICE
The information contained in this email and any attachments is confidential
and may be subject to copyright or other intellectual property protection.
If you are not the intended recipient, you are not authorized to use or
disclose this information, and we request that you notify us by reply mail
or telephone and delete the original message from your mail system.
</pre></td></tr></table>
_______________________________________________
Public mailing list
Public at cabforum.org
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140708/748287f3/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.png
Type: image/png
Size: 19121 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140708/748287f3/attachment-0002.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: EV - insurance ballot.pdf
Type: application/pdf
Size: 84560 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140708/748287f3/attachment-0002.pdf>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5453 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140708/748287f3/attachment.p7s>
More information about the Public
mailing list