Q&A

Someone to Watch Over You: Dan Geer on Cyberinsurance

May 01, 2003 — CSO — Q: Before I buy infosecurity malpractice insurance and presumably pay pricey premiums, I'd like to know that someone's done a credible job of defining a standard for what constitutes malpractice. Has that been done? And by whom?

A: Malpractice insurance would assume that we know what malpractice is, and we simply do not—although the next-to-last draft of the National Strategy to Secure Cyberspace did invite the licensure of security professionals. Absent licensure, there is no gating competence standard for security professionals. The only other standard would be a code of ethics and a professional body to hold the stone tablets on which they were writ. We don't have that either. Hence the claim that we do not know what malpractice is, at least not in the way more venerable professions do.

What we do have is liability insurance, such as Directors and Officers (D&O) insurance and Errors and Omissions (E&O) insurance. A sole practitioner really does need some sort of protection from professional liability, as does a consultancy, both probably more in the form of E&O. There is not yet an established sense of what constitutes good security professional work, however, and it will be hard to define. The competence standard will get defined, whether or not the recommendations for licensure fall out of the National Strategy (as they did under lobbying pressure).

In the case of D&O, policies do differ, but it is very difficult to know what you have to work with. For example, a leading market underwriter has a war exclusion in its policy. The underwriter classifies terrorism as invoking war and further classifies hackers as terrorists. Where such a classification scheme is in place, it is hard to imagine collecting insurance money for the impact of an attack from the Internet, assuming you define malpractice as equivalent to a D&O liability. To carry that a bit further, the same insurance carrier voids its business continuity coverage of "failure to patch" and in turn voids its D&O coverage where the covered party "fails to maintain insurance." In short, malpractice is about character. The business decisions are about who can sue whom and for what.

Q: How do you think 9/11 has affected cybersecurity initiatives? What course will the cybersecurity market take going forward?

A: Disaster preparedness has been affected most since 9/11. Before that day, the press and public would say that a cyberattack proved that the victim was asking for it. After 9/11, the press and public grasp that there are bad people in the world and that perhaps the victim was not asking for it. Companies must pay attention to their forensic abilities, which require planning for forensic data collection before an attack, if they want to pursue attackers. No doubt there will come a time when incident response will be part of the mandatory professional skill set of security professionals and therefore its absence would be a malpractice marker.