A Google Research Reporter has just released information about a vulnerability in Windows 8.1 which has remained unpatched for more than 90 days after even Microsoft was informed about it.
A discussion is going on whether Google was right in publishing the vulnerability which could be existing in millions of computers worldwide and could be exploited for commission of various kinds of Cyber Crimes.
Ethics apart, this also raises the issue of what happens to the thousands of computer users who may find the vulnerability exploited by a criminal who either uses it to siphon off money from Banks and other financial assets or simply uses it for e-extortion.
Until Microsoft itself is able to find a solution, it is unfair to expect any user as well as a CISO in an organizational environment to be able to effectively defend against this vulnerability.
This raises another question in the minds of conservative corporates who may be inclined to cover every known/unknown risks with an insurance cover, on whether a “Attack based on a Zero day vulnerability” would be within the scope of the insurance policy.
What if an Insurance company equates this to “An Act of God kind” or at least ” Special Premium case” and refuse to cover the losses under the current standard policy?
Whether the status of the risk will change after it has become public knowledge so that exploits prior to this day would be covered and subsequent days or not?
Well these are the issues that the insurer and the insured need to discuss and settle at the time of writing the contract.
We are trying to understand what is the market perception on this issue in our India Cyber Insurance Survey 2015. Please participate in the survey and contribute your thoughts also to the pool. You can access the survey form here:
https://fs22.formsite.com/SBYrSa/form2/index.html
I would appreciate if you can also ask your friends to participate and contribute their views to make the survey a success.
Naavi
