Okemos, Mich.-based J.S. Wurzler Underwriting Managers, one of the earliest agencies to offer hacker insurance, has begun charging its clients anywhere from 5 to 15 percent more if they use Microsoft's Windows NT software instead of Unix or Linux for their Internet operations.
"We have always felt that there is a high risk with the Windows NT system," said Walter Kopf, senior vice president of underwriting at Wurzler. "We have found out that the possibility for loss is greater using the NT system. Where there is a greater loss, there tends to be an increase in the premium."
Although observers say there is no sign other insurers will imitate Wurzler's premium increases, the move shows growing concerns about continuing vulnerability discoveries in Microsoft's software products.
Other insurance brokers--including Marsh & McLennon, Aon and Arthur J. Gallagher & Company--also provide hacker, or e-business security, insurance. Insurance agents contacted at those agencies wouldn't comment on whether they had plans to increase their premiums for Windows NT users.
"Logically, it seems Microsoft's server and client software needs more patches and thus this will cost users more to maintain their systems," said Richard Smith, chief technical officer for the Privacy Foundation. "It is interesting to see that some insurers are keeping up with the times."
Kopf said Wurzler made the decision based on findings from hundreds of security assessments the company has done on their small and midsize business clients over the past couple of years.
Microsoft's server product line has been plagued with recent security flaw discoveries. The company had pledged to beef up security in its upcoming Windows XP operating system.
Earlier this month, the software giant found a serious security hole in its flagship Web server software, Internet Information Server, and rushed to persuade system administrators to patch the flaw before attackers could target their systems.
A Windows 2000 server software problem discovered in April allowed hackers to crash a system by sending a simple request for a Web page.