Kiln plc, a Lloyd’s of London underwriter, Miller Insurance Services Limited, a Lloyd’s broker, and risk assessor Open Source Risk Management (OSRM) of New York, are working together to offer the product.
Open Source Compliance Insurance, as the policy will be called, claims to be the world’s first policy to cover the specialised risks faced by enterprises that include or rely upon elements of Linux and other open source software in their commercial products or internal IT infrastructure.
With open source software, the source code is made available for use or modification as users or other developers see fit. It is usually developed as a public collaboration and made freely available, but comes with a licence detailing the conditions of use.
The most famous of these licences is the GPL (General Public Licence), which is used for many free software projects, including the Linux operating system kernel. The GPL licenses software free of cost but requires any re-distributor to provide the full source code and a copy of the full licence text.
According to Kiln, Miller and OSRM, in the last two years there have been more than thirty legal claims involving infringement of open source licences around the world. In each case, plaintiffs have prevailed in enforcing their rights to restrict the use of their code.
A common risk faced by firms includes the development of proprietary software, such as trading tools or inventory management applications, using one or more open source software components. Simple actions like making these tools available on an extranet, or sending them to external partners or suppliers, constitutes "distribution" under a GPL licence and requires a company to open source that proprietary application, making it freely available to competitors.
Open Source compliance is excluded from standard Errors and Omissions insurance and is of particular concern for privately held technology companies seeking to be acquired in merger and acquisition transactions, obtaining equity financing or going public. It is also a potential material risk for US public companies and some UK public companies under Sarbanes-Oxley.
"The emerging open source model of worldwide collaborative technology development introduces novel business risks that traditional insurance products can but have not addressed," said Matthew Hogg, underwriter for Kiln Risk Solutions. "Open Source Compliance insurance will make it safe for large and small corporations to adopt and build upon the important innovations coming from this vibrant global community."
Open Source Compliance Insurance will initially offer cover of up to $10 million for direct loss suffered by the insured following a finding of non-compliance with specific licence agreements under which open source code is obtainable.
According to Kiln, Miller and OSRM, the insurance will indemnify the insured for the loss of profits associated with the withdrawal or alteration of a product incorporating non-compliant code or the impaired valuation of an acquisition agreement exchanging open source software. In certain circumstances the policy would also pay the costs to mitigate such losses including the expense of repair or replacement of code that is found to infringe upon the GPL or other Open Source licences.
Speaking to ComputerWorld.com, Forrester Research analyst Michael Goulde welcomed the move, but described the policy as “fairly narrow,” explaining that it was targeted more at commercial software firms than general corporate open source users.