[cabfpub] Ballot 121 (insurance)

Moudrick M. Dadashov md at ssc.lt
Wed Jul 9 13:40:45 UTC 2014


Hi,

please consider one more version:

8.4.Insurance

Effective _______, each CA SHALL continuously maintain the following 
insurance related to its own performance and obligations under these 
Guidelines, that MUST be kept in place for all periods of validity of 
any EV Certificate issued by the CA:

(A) a valid insurance covering damages to systems, data, or software and 
for business interruptions due to natural disaster, fire, IT security 
failure, malware, cyber attack / criminal hacker, or theft, in the 
amount sufficient to ensure business continuity at least in terms of 
fully functional, globally accessible certificate Revocation management 
service* and certificate Revocation status service**; and

(B) a valid Technology Errors and Omissions insurance, according to 
policy limits defined by the CA's jurisdiction of incorporation, if any, 
at least in the amount sufficient to cover CA's publicly disclosed 
financial warranties to EV Certificate Beneficiaries and/or Relying 
parties arising out of its  negligent act, error, or omission in the 
performance of technology services under these Guidelines. Territory of 
coverage shall be global, except for countries sanctioned by the United 
States or the European Union.

A CA MAY self-insure for liabilities that arise from such party's 
performance and obligations under these Guidelines provided that it has 
at least five hundred million US dollars in liquid assets based on 
audited financial statements in the past twelve months, and a quick 
ratio (ratio of liquid assets to current liabilities) of not less than 1.0.

N.B. these definitions are from ETSI 102 042, section 4.2:

* Revocation management service:
processes requests and reports relating to revocation to determine the 
necessary action to be taken. The results of this service are 
distributed through the revocation status service.

** Revocation status service:
provides certificate revocation status information to relying parties. 
This service may be a real-time service or may be based on revocation 
status information which is updated at regular intervals.

Thanks,
M.D.

On 7/9/2014 3:04 PM, Arno Fiedler wrote:
> Hello,
> it sounds very US-centric and very detailed, "/MUST be with a company 
> rated no less than A- as to Policy Holder's Rating in the current 
> edition of Best's Insurance Guide"/ seems to be not applicable for 
> "Rest of World."
> Best regards
> arno
>
>
> Am 08.07.2014 17:04, schrieb Ben Wilson:
>>
>> All,
>>
>> Based on feedback received so far from several international cyber 
>> insurance experts, here is a current iteration for revisions to 
>> Section 8.4 of the EV Guidelines (redlined PDF attached).
>>
>> This is only for the EV Guidelines and would apply to CAs desiring to 
>> issue Extended Validation Certificates.
>>
>> This wording may be further refined based upon your input to Jeremy's 
>> question and as any other information from insurance experts comes in.
>>
>> Please check with your insurance brokers to confirm that you either 
>> already have these coverages or that these can be obtained by your 
>> company at reasonable cost.
>>
>> Thanks,
>>
>> Ben
>>
>>
>>     8.4.Insurance
>>
>> Effective _______, each CA SHALL continuously maintain the following 
>> insurance related to its performance and obligations under these 
>> Guidelines:
>>
>> (A) insurance covering damages to systems, data, or software and for 
>> business interruptions due to natural disaster, fire, IT security 
>> failure, malware, cyber attack / criminal hacker, or theft, in the 
>> amount of at least two million US dollars ($2 million) in coverage; and
>>
>> (B) Technology Errors and Omissions insurance, with policy limits of 
>> at least five million US dollars ($5,000,000 per claim and in the 
>> aggregate) covering financial damages to third parties arising out of 
>> a negligent act, error, or omission in the performance of technology 
>> services under these Guidelines with coverage to be kept in place for 
>> all periods during which an EV Certificate issued by the CA is still 
>> valid. If coverage is non-renewed or canceled, the CA shall purchase 
>> extended reporting period coverage for at least a two-year period. 
>> Territory of coverage shall be global, except for countries 
>> sanctioned by the United States or the European Union.
>>
>> Such insurance must not exclude coverage when providing public key 
>> infrastructure services and MUST be with a company rated no less than 
>> A- as to Policy Holder's Rating in the current edition of Best's 
>> Insurance Guide (or with an association of companies each of the 
>> members of which are so rated).
>>
>> A CA MAY self-insure for liabilities that arise from such party's 
>> performance and obligations under these Guidelinesprovided that it 
>> has at least five hundred million US dollars in liquid assets based 
>> on audited financial statements in the past twelve months, and a 
>> quick ratio (ratio of liquid assets to current liabilities) of not 
>> less than 1.0.
>>
>>
>
> -- 
> Arno Fiedler
> Nimbus Technologieberatung GmbH
> Reichensteiner Weg 17
> 14195 Berlin
> Mobil:      0049-(0)172-3053272
> Fax:        0049-(0)30-89745-777
> E-Mail:arno.fiedler at nimbus-berlin.com
> Web:www.nimbus-berlin.com
> Geschäftsführer:  Arno Fiedler
> USt-IdNr. :       DE 203 269 920
> D-U-N-S® Nr.      50-730-8117
> HandelsregisterNr:HRB 109409 B
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140709/b28e1e3a/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3663 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20140709/b28e1e3a/attachment-0001.p7s>


More information about the Public mailing list