Property Not Covered

1
Identifying And Insuring Web Site Exposures
William Yang, CISSP Founder, WDY Enterprises,
LLC Robert Guevara, AAIS Vice President,
Inland Marine March 16, 2005 Audio Dial 877-
326 - 2337 Conference ID 6767530
2
Co-sponsored Event

• American Association of Insurance Services (AAIS)
• Advisory organization based in suburban Chicago
• More than 600 carriers use forms and manuals
• Produces the Inland Marine Guide
• www.AAISonline.com
• Inland Marine Underwriters Assn. (IMUA)
• Trade association based in New York City
• More than 400 member companies
• Provides training, research, and analysis
  services
• www.imua.org

3
Before We Begin

• Interactive seminar
• View PowerPoint presentation over Internet
• Hear commentary over telephone
• Raise questions verbally or by chat function
• To use chat Click Exit Full Screen
• To go back Click View, select Full Screen
• Speed at which slides appear depends on--
• Your Internet connection
• Your computers speed
• Your servers speed

4
Before We Begin, cont.

• Please adhere to antitrust guidelines
• Observe guidelines at all times
• When communicating by phone
• When using chat function

5
Seminar Format

• William Yang on Web information security issues
• Robert Guevara on Web site coverages
• Questions and answers
• Phone
• Chat room

6
Information Security

• What are the core values of Information Security?
• Confidentiality
• Integrity
• Availability
• Perception value and Security
• Security as a Business Enabler

7
Understanding IT Losses

• Trying to find a good source of data to develop a
  statistical loss model.
• Strong disincentives for disclosure
• Will Regulation Help?
• Anecdotal Information Available Now
• FBI/CSI Annual Computer Crime survey
• Secret Service/CSO Magazine survey
• CERT Coordination Center
• Internet Storm Center
• Popular press? Zone H? And others

8
The Business of Technology

• COSTS
• Acquisition
• Deployment
• Maintenance
• Operation
• Disposal

• BENEFITS
• Productivity
• Consistency
• Quality
• Efficiency

9
Information Losses

• Disclosure (loss of Confidentiality)
• Intellectual Property
• Privacy
• Corruption/Destruction
• Reliance upon a resource
• Unavailability
• Time Value of data and process

10
Other Losses

• Civil and Criminal Liability
• Opportunity Cost
• Service Level/Contractual Penalties
• Shareholder Value
• Public Trust and Respect

11
Mitigating Technology Losses

• Risk Assessment
• Business Impact Assessment
• Safeguards
• Physical
• Operational
• Information Security Safeguards

12
Long-Term Risk Mitigation

• Security is a process, not a goal.
• Technical solutions and processes can, will, and
  must change over time to meet the evolving
  threats of information technology.
• Policy solutions also evolve but should change
  based on the business needs and goals, rather
  than the technology.

13
Coverage Issues

• Coverage For Web Site Servers Under An EDP Policy
• On-Site Servers
• Off-Site Servers

14
What Is A Web Host?

• An independent company that is in the business of
  providing the infrastructure for Web site servers
  and support services for Web sites

15
Coverage Issues

• EDP Coverage - Equipment
• Definition of Computer Equipment
• - Programmable Equipment
• - Servers
• Coverage At A Scheduled Location

16
Coverage Issues, cont.

• EDP Coverage - Equipment
• On-Site Server
• - Covered, Unless Specifically Excluded
• Off-Site Server
• - No Coverage, Unless Location Is Scheduled
• - Insurable Interest

17
Coverage Issues, cont.

• EDP Coverage - Software
• Definition of Software
• - Files and Programs
• Coverage At A Scheduled Location

18
Coverage Issues, cont.

• EDP Coverage - Software
• On-Site Server Software
• - Covered, Unless Specifically Excluded
• Off-Site Server Software
• - No Coverage, Unless Location Is Scheduled

19
Coverage Issues, cont.

• EDP Coverage - Software
• Virus And Hacking
• - Not Covered
• - Covered

20
Coverage Issues , cont.

• EDP Coverage - Income Coverage
• Income Exposure
• - Revenue Site
• - Subscription Site
• - Marketing - Point Of Contact Site

21
Coverage Issues, cont.

• EDP Coverage - Income Coverage
• Covered Property At Scheduled Locations
• - On-Site Server
• - Off-Site Server
• - Specific Exclusion

22
Coverage Issues, cont.

• Web Site Interruption Coverage
• Direct Physical Loss To
• - Server
• - Server Software
• - Building That Houses Server

23
Coverage Issues, cont.

• Web Site Interruption Coverage
• Coverage Limitations
• - Waiting Period, Hours
• - Time Limitation, Days

24
Coverage Issues, cont.

• Web Site Interruption Coverage
• Virus And Hacking Coverage
• - Sublimit, Occurrence
• - Sublimit, Annual Aggregate

25
Coverage Issues, cont.

• Web Site Interruption Coverage
• Additional Exclusions
• - Lack Of Bandwidth
• - Denial Of Service Attack
• - Loss Of Service Provider Or Web Host

26
Coverage Issues, cont.

• Web Site Interruption Coverage
• Additional Exclusions - Virus/Hacking
• - Loss Of Exclusive Use
• - Reduction Of Economic Value
• - Theft Of Confidential Information

27
Risk Exposures

• Web Site Interruption Coverage
• Web Site As Source Of Revenue
• - Online Sales
• - Subscription Service
• - Open Site

28
Risk Exposures, cont.

• Web Site Interruption Coverage
• Alternate Server
• - Backup Web Site
• - Alternate Server
• - Alternate Server Location

29
Risk Exposures, cont.

• Web Site Interruption Coverage
• Backup Procedures
• - Backup Of Web Site Software
• - Off-Site Storage Of Web Site Software

30
Risk Exposures, cont.

• Web Site Interruption Coverage
• Virus And Hacking
• - Regular Updating Of Anti-Virus Software
• - Web Host Screens For Viruses

31
Questions?

• Use phone or chat room
• Additional questions?
• BobG_at_AAISonline.com
• William.Yang_at_wdyllc.com