Insurance broker J.S. Wurzler Underwriting Managers has started charging up to 15 percent more in premiums to clients that use Microsoft's Internet Information Server software, which the Code Red worm feasted on.
In light of the $2bn in damage caused by Code Red, founder and CEO John Wurzler's decision just before the virus hit seems prescient. Wurzler gained notoriety earlier this year for hiking cyberinsurance rates on companies that use Microsoft NT software on their servers.
So far, Wurzler appears to be the only insurer singling out Microsoft for higher rates. And some security officials are not kind in their comments.
"Wurzler is full of it," said Russ Cooper, the editor of the NTBugTraq Web site and an employee of computer risk management and security firm TruSecure. According to Cooper, Windows NT and IIS are easier to secure than comparable Unix or Linux-based servers because Microsoft does a better job of publicising and supplying the needed security patches for its products. "It's easier to manage Microsoft server software because you can get all the patches in one place," he said.
Wurzler, who has been selling hacker insurance since 1998, based his decision on more than 400 security analyses done by his firm over the past three years. Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software. That turnover may mean that security patches don't get installed, said Wurzler, who offers lower rates to clients that use NT and IIS if they can show that their administrators are following best practices.
Microsoft itself fell victim to Code Red. "We have been very good in patching our own systems. But we haven't been perfect," said Microsoft spokesman Jim Desler, who believes Wurzler's move isn't supported by the facts. "Within the last month, every major software vendor has had a major vulnerability discovered," Desler said.
Emily Freeman, a senior vice president of giant insurance brokerage firm Marsh, said the industry is watching Wurzler's move with interest. Insurers are "concerned that some systems are more vulnerable" than others, she said. But, she added, "There aren't any actuarial tables yet to justify different rates."
Those arguments don't faze Wurzler, who insists his approach is the right one. "Hackers hate Bill Gates, so they want to write code that embarrasses him," Wurzler said. And because that attitude won't change anytime soon, Wurzler said, the most reasonable course is to charge higher premiums for NT and IIS.
See the Viruses and Hacking News Section for the latest headlines.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.