Re: An opposing point of view
I would have thought that contributory negligence - failure to patch - would have been the tack used by the insurance companies.
That would set a precedent with a strong chilling effect on the market.
When you insure for fire damage (in a stable, industrialized country), there are well-documented protocols to follow for the insured: building codes, fire codes, inspections, etc. It's pretty easy for the insured to be in compliance and demonstrate that.
With IT-security insurance, there are few or no regulations, depending on the business. There are no standard independent inspections, and no agreement on what you'd inspect for. Potential insurance customers know they'd have a hard time showing they weren't negligent. So if insurers look like they're going to weasel out of paying claims, the market will discount the value of IT-security insurance to the point where it's no longer a viable product.
The IT-insurance market is enough of a mess already. Policies are ill-defined, claims may be hard to prove (fires leave a lot of evidence; rootkits not so much), data for actuarial analysis is thin, the market is immature (so risk pools are small and reinsurance harder to come by), and it's largely untested in court. Apparently Zurich America have decided to risk the last, but as others have noted, there's an excellent chance this will settle out of court.
Biting the hand that feeds IT
