The International Computer Security Association is offering insurance of up to $250,000 for customers of its TruSecure security assurance service if a malicious hacker successfully attacks their network--even if no losses are suffered.
TruSecure, relaunched in April by private firm ICSA, tests and certifies security set-ups on corporate networks. It involves external efforts to break into a network as well as analysis of internal procedures.
"We thought we'd put money where our mouth is to act in a publicly trusted way," ICSA president Peter Tippett said. "We expect to pay sometimes because what we are doing is reducing risk, not eliminating it. We have learned that our process does work."
A recent ICSA study of about 200 Internet servers found that more than 70 percent had security flaws that made them vulnerable to outside attacks, even though most sites in the survey had firewalls in place. The survey included small companies, Fortune 500 firms, and government agencies.
Firewalls and other security measures are not foolproof because they require proper configuration that has to be changed as a corporate network evolves. Also, many operating systems have built-in vulnerabilities.
Seven types of incidents are covered under the ICSA's insurance program, including loss of Internet email, an Internet transactional system, or other services. The insurance also covers public defacement of a Web page and loss of data via eavesdropping, breaking into a Unix computer through the Internet or a firewall, and the alteration, damage, or destruction of sensitive data.
The insurance pays $20,000 per incident for each certified site up to two times the customer's annual subscription. The maximum annual payment is $250,000.
Tippett said the insurance is in part a marketing device but said his company has signed up 100 customers for TruSecure in the last six months. He also said the ICSA is talking to major U.S. insurance carriers that may offer network risk and liability insurance, an emerging category of specialized policies designed to cover trusted networks.
Those carriers, which he declined to name, may offer millions of dollars of coverage. Some intend to require ICSA TruSecure certification as a condition for getting the insurance, while others are looking at discounted rates for certified sites.
The TruSecure service, which starts at $40,000 per year for the complete service, aims to protect an organization's network perimeter from penetration. It involves testing for vulnerabilities, bringing the system up to security standards, on-site audits, security updates and alerts, and periodic spot-checks.
The ICSA, a for-profit private company, changed its name last year from the National Computer Security Association.