Business

Open-Source Compliance Insurance Hits the Marketplace

It won’t help in the aftermath of hurricanes, but it could help in technology storms.

Insurance underwriter Kiln plc, a Lloyd’s of London underwriter and Miller Insurance Services Limited, a Lloyd’s broker, said yesterday that they will offer a new product called Open Source Compliance Insurance. Open Source Risk Management, Inc. (OSRM) will act as the exclusive worldwide risk-assessor and advisor.

Offering Protection

Open Source Compliance Insurance is the first insurance policy to cover the risks facing enterprises that include or rely upon elements of Linux and other open-source software in their commercial products or internal IT infrastructure.

Worldwide, the organizations report more than 30 legal claims involving infringement of open-source licenses have been brought against corporations in the last two years. In each case, plaintiffs have prevailed in enforcing their rights to restrict the use of their code.

“Not every company using open source is exposed to risks associated with license infringement but as adoption rapidly increases it is critical that companies take licenses seriously and fully understand what constitutes violation and therefore exposure,” said Daniel Egger, CEO of OSRM.

Open-Source Indemnity

Open Source Compliance Insurance will initially offer up to US$10 million of coverage for a policy holder’s direct loss in the wake of a finding of non-compliance with specific license agreements under which open-source code is obtainable.

The insurance will indemnify the policy holder for the loss of profits associated with the withdrawal or alteration of a product that incorporates non-compliant code or the impaired valuation of an acquisition agreement exchanging open source software.

In certain circumstances the policy would pay the costs to mitigate such losses including the expense of repair or replacement of code that is found to infringe upon the General Public License (GPL) or other open-source licenses.

“The emerging open source model of worldwide collaborative technology development introduces novel business risks that traditional insurance products can but have not addressed,” said Matthew Hogg, underwriter for Kiln Risk Solutions. “Open Source Compliance insurance will make it safe for large and small corporations to adopt and build upon the important innovations coming from this vibrant global community.”

Risk Scenarios

A common risk scenario includes development of proprietary software, such as trading tools or inventory management applications, using one or more open-source software components. Simple actions like making these tools available on an extranet, or sending them to external partners or suppliers, constitutes “distribution” under a GPL license and requires a company to open source that proprietary application, making it freely available to competitors.

But Interabor Solutions Principal Analyst Dana Gardner told LinuxInsider that the more he thinks about open-source insurance, the less it makes sense to him. Purchasing insurance for open-source indemnification, he said, strikes him as a band-aid rather than a solution — and one that could potentially exacerbate the risk because it may lead to complacency.

“What is more impressive is products and services from companies like Palamida and Black Duck,” Gardner said. “These companies are coming to market to help customers get a handle on what the risks are with technologies that allow software products to do what food products have done for years — state clearly exactly what the ingredients are in that product.”

Gardner, for one, would rather see a mature solution to the challenge; one that tells customers what is in the software, where it came from, whether it is indemnified or not, and whether it is legally licensed or not. Armed with those facts, he said companies can make a smart decision about potential risks without just covering the problem with insurance.

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

LinuxInsider Channels