Professional Liability Insurance

[Thorn]

Currently, I have a generic "computer consultant" liability insurance giving me $500k USD coverage. Unfortunately, I don''t think my current agent understands what I do. Frankly, he just doesn't get it. As I do more and more security work, and specifically pen testing of financial institutions, I'm wondering if I have adequate coverage. Recently, an acquaintance who's in the insurance business said that understand what the pen test and infosec business involves. (I think he's seen Sneakers. ) At this point, I'm planning to sit down with this guy, and see what he has to say. Before I do however, I figured I'd ask what other pen testers are using for professional liability insurance, and what do you have for coverage? Do you have any advice on limits and do you have riders for any specific liabilities or specific problem areas?

[xX_Spiidey_Xx]

Personally, having owned an IM/IT consulting and production business, $500k coverage simply was not enough. I had to consider several factors, especially if I had to modify a contract to get a job. The simplest way to keep the basic 500k liability coverage would be to add a clause to your contract negating any responsibility for damages, downtime, etc., and having your contractee accept all risks associated with the work you perform on their networks and systems.

That said, I've run into problems in the past where the company or individual would flat-out refuse to accept risks and responsibility. As we all all aware, cash is capital in our society, and if we can't adapt, we can't evolve. Sometimes a contract needs to be altered. In these situations, I would have my client draft an estimate for their cost of lost profits and downtime. Then I would call my insurance broker/company and ask them to change my coverage for the duration of the job, to cover 20% more than the client's estimate. After my work was complete, I would have the client sign a post-operation contract stating the deficiencies I found (if any), commit to the final charges and fees for the job, and that they confirm that their systems are in the same condition (or better if they paid me to patch) as when I began the job.

I like to cover myself, and when you have a lawyer in the family, it makes it that much easier. I hope this post helps you in some way or another!

Cheers,

xX_Spiidey_Xx

[crweedon]

ask him if your professional liability insur. and errors and omissions insur. would be one in the same. many companies consider these to be seperate. i personally find that for small to mid-size biz. 3 mil is more than adequate, also be aware when doing pentests on web applications or data servers that the actual data and code needs to be covered and not just the hardware and downtime. but for the most part refer to spideys post. alot of good insight there!