Windows raises hacking insurance prices

Hack attacks prompt underwriter to slap a five to 15 percent premium on insurance premiums for firms using Windows - and IIS will be next
Written by Robert Bryce, Contributor

Microsoft's server software is easy to install, loaded with features and fairly reliable. It may also be more costly to insure against hack attacks.

JS Wurzler Underwriting Managers, one of the first companies to offer hacker insurance, has begun charging its clients 5 percent to 15 percent more if they use Microsoft's Windows NT software in their Internet operations. Although several larger insurers said they won't increase their NT-related premiums, Wurzler's announcement indicates growing frustration with the ongoing discoveries of vulnerabilities in Microsoft's products.

Some industry observers believe other insurers may follow Wurzler's lead, which could affect the overall hacker insurance market, a sector that the Insurance Information Institute estimates may generate $2.5bn (£1.7bn) in annual premiums by 2005.

"We saw that our NT-based clients were having more downtime [due to hacking]," says John Wurzler, founder and chief executive of the Michigan company, which has been selling hacker insurance since 1998.

Wurzler said the decision to charge higher premiums was not mandated by the syndicates affiliated with Lloyd's of London that underwrite the insurance he sells. Instead, the move was based on findings from 400 security assessments that his firm has done on small and midsize businesses over the past three years.

Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software, where turnover can exceed 33 percent per year. That turnover contributes to another problem: system administrators are not implementing all the patches that have been issued for Windows NT, Wurzler said.

According to Microsoft's Web site, more than 50 vulnerabilities -- and the patches to fix them -- have been issued for Windows NT server software since June 1998.

Microsoft spokesman Jim Desler said the hacker insurance market is still too young to declare Wurzler's move a trend. "There's not enough history or business to draw conclusions about rate-setting practices," Desler said. As the market matures, rates are likely to be based on best practices, rather than on platforms or products, he predicted. "We provide unparalleled support in the area of security."

American International Group, the country's largest insurance underwriter, said it will not raise its rates for Windows NT-based systems. Nor will Aon, the world's second largest insurance broker. "[The use of NT is] just one factor in the overall assessment of risks. It can be an indicator of other vulnerabilities, but you may also have other things in place to counter that, like firewalls and intrusion-detection systems," said Kevin Kalinich, a director in Aon's technology and telecommunications group.

However, Harry Croydon, chief executive of Safeonline, a London risk analysis firm that works with underwriters at Lloyd's, predicted that Wurzler's decision to charge more for Windows NT machines is "a trend we will see increasing." Just as drivers who own rare cars pay more to insure them, Croydon said, "certain types of software expose you to different risks".

Although Wurzler's company is small -- eight employees -- digital security firms are watching it closely. Bruce Schneier, Counterpane Internet Security's co-founder and chief technical officer, said it makes sense for underwriters to differentiate premiums based on the type of software and hardware that's used. "Insurance companies are looking to manage their risk effectively. If there's a technology that reduces risk, they'll charge lower premiums," Schneier said.

Indeed, several insurers offer discounts to clients that use managed security service providers or put certain security devices on their networks. For example, last week, AIG said it will cut premiums up to 10 percent for clients that use a new security device made by Invicta Networks, a Virginia company headed by Victor Sheymov, a former KGB agent. Invicta claims its device, which uses an Internet Protocol address-shifting technology, is impossible to hack.

Windows-based servers are frequently victimised by hackers. From August 1999 to November 2000, 56 percent of all the successful, documented hack attacks occurred on systems using Microsoft server software, according to statistics posted at Attrition.org, a Web site that records hackers' exploits.

Given Windows NT's record, Gene Spafford, the director of Purdue University's Center for Education and Research in Information Assurance and Security, believes higher insurance premiums may be justified. "NT is more difficult to install correctly and keep up to date than Linux," Spafford said.

Right now, it appears that Wurzler is going it alone among insurers by charging higher premiums to Windows NT users. But Wurzler said the higher prices are not costing his company customers.

A policy covering revenue lost due to hacking costs about $4,000 per year for each $1m in coverage, he said.

About half of his clients use Windows NT, Wurzler said; the rest use Linux or Unix. Given that breakdown, he said it's easy to justify higher rates for NT machines. "Why should a Unix player with fewer vulnerabilities subsidise NT users?" Wurzler asked.

And Wurzler's not through with Microsoft. He said his firm is looking at vulnerabilities in Microsoft's Internet Information Server software, and that it may soon begin charging higher premiums for that product, too.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards