- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
IDG News Service - Three organizations are teaming up to offer what they claim is the first open source compliance insurance policy to provide coverage for companies around the world that are using open-source software in their businesses or within their own operations. The three organizations are risk mitigation consultancy Open Source Risk Management (OSRM), a Lloyd's of London underwriter Kiln and a Lloyd's broker Miller Insurance Services.
The policy will be called Open Source Compliance Insurance and it will initially offer maximum coverage of $10 million, according to OSRM CEO Daniel Egger. A company signing up for the policy will be reimbursed if they are determined to have suffered a direct loss should software they use or sell be found not to be in compliance with specific open source license agreements.
The definition of a direct loss may include any revenue loss a company might incur in relation to a product containing noncompliant open source software such as being forced to withdraw the product from the market or having to change it in some way such as rewriting part of the code. Another definition of a direct loss relates to any potential negative impact the discovery of noncompliant open source software may have on the value of a company's impending merger or acquisition, Egger said in a recent interview.
OSRM will act as the exclusive worldwide risk assessor and advisor for the new insurance policy, according to Matthew Hogg, intellectual property underwriter at Kiln. "If you take the example of the insurer of a commercial property, OSRM is the surveyor, " he said in a recent interview. Or in terms of title insurance, OSRM is the company that plows through all the documents to establish title, Egger added.
In practice, OSRM has a team of five people who will carry out an open source license compliance review on a company's software. This initial risk assessment costs between $25,000 and $50,000, according to Egger. OSRM will then report back to Hogg's Kiln on the findings of the review and after establishing the company's risk profile, the insurance policy will be drawn up. "The review firms up the facts that we've looked at it and believe in the position," Hogg said. "The buck [then] stops with the insurance company."
In its compliance review, OSRM uses its own Silhouette methodology. Egger said that OSRM's approach to determining a company's compliance differs from the compliance-assessment services already offered by the likes of Black Duck Software and Palamida. "We're not in competition with them," he said. "They're about the cut and pasting [of open source software], we're about the links [of open source software] into a company's software."
License compliance can depend on what level a proprietary application is calling into or linking to an open source piece of software, he added. The lower a link into, say, the kernel of the open source Linux operating system, the more likely the potential for noncompliance with licenses.
Based on a customer's risk profile, $10 million of coverage will cost about $200,000 in premiums on an annual basis, according to Hogg. If a customer's risk profile is very straightforward, the premium could be less, if it's more complex, it could be higher than $200,000, he said. Egger pointed out that some clients, especially smaller, venture-backed software companies, may not require as much as $10 million in coverage.