Insurance broker J.S. Wurzler Underwriting Managers has started charging up to 15 percent more in premiums to clients that use Microsofts Internet Information Server software, which the Code Red worm feasted on.
In light of the $2 billion in damage caused by Code Red, founder and CEO John Wurzlers decision just before the virus hit seems prescient. Wurzler gained notoriety earlier this year for hiking cyberinsurance rates on companies that use Microsoft NT software on their servers.
So far, Wurzler appears to be the only insurer singling out Microsoft for higher rates. And some security officials are not kind in their comments.
"Wurzler is full of it," said Russ Cooper, the editor of the NTBugTraq Web site and an employee of computer risk management and security firm TruSecure. According to Cooper, Windows NT and IIS are easier to secure than comparable Unix- or Linux-based servers because Microsoft does a better job of publicizing and supplying the needed security patches for its products. "Its easier to manage Microsoft server software because you can get all the patches in one place," he said.
Wurzler, who has been selling hacker insurance since 1998, based his decision on more than 400 security analyses done by his firm over the past three years. Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software. That turnover may mean that security patches dont get installed, said Wurzler, who offers lower rates to clients that use NT and IIS if they can show that their administrators are following best practices.
Microsoft itself fell victim to Code Red. "We have been very good in patching our own systems. But we havent been perfect," said Microsoft spokesman Jim Desler, who believes Wurzlers move isnt supported by the facts. "Within the last month, every major software vendor has had a major vulnerability discovered," Desler said.
Emily Freeman, a senior vice president of giant insurance brokerage firm Marsh, said the industry is watching Wurzlers move with interest. Insurers are "concerned that some systems are more vulnerable" than others, she said. But, she added, "There arent any actuarial tables yet to justify different rates."
Those arguments dont faze Wurzler, who insists his approach is the right one. "Hackers hate Bill Gates, so they want to write code that embarrasses him," Wurzler said. And because that attitude wont change anytime soon, Wurzler said, the most reasonable course is to charge higher premiums for NT and IIS.