Three organizations are teaming up to offer what they claim is the first open-source compliance insurance policy to provide coverage for companies around the world that are using open-source software in their businesses or within their own operations. The three organizations are risk mitigation consultancy Open Source Risk Management Inc. (OSRM), a Lloyd’s of London underwriter Kiln PLC and a Lloyd’s broker Miller Insurance Services Ltd.
The policy will be called Open Source Compliance Insurance and it will initially offer maximum coverage of US$10 million, according to Daniel Egger, chief executive officer of OSRM. A company signing up for the policy will be reimbursed if they are determined to have suffered a direct loss should software they use or sell be found not to be in compliance with specific open-source license agreements.
The definition of a direct loss may include any revenue loss a company might incur in relation to a product containing noncompliant open-source software such as being forced to withdraw the product from the market or having to change it in some way such as rewriting part of the code.
Another definition of a direct loss relates to any potential negative impact the discovery of noncompliant open-source software may have on the value of a company’s impending merger or acquisition, Egger said in a recent interview.
OSRM will act as the exclusive worldwide risk assessor and advisor for the new insurance policy, according to Matthew Hogg, intellectual property underwriter at Kiln. “If you take the example of the insurer of a commercial property, OSRM is the surveyor, ” he said in a recent interview. Or in terms of title insurance, OSRM is the company that plows through all the documents to establish title, Egger added.
In practice, OSRM has a team of five people who will carry out an open-source license compliance review on a company’s software. This initial risk assessment costs between $25,000 and $50,000, according to Egger.
OSRM will then report back to Hogg’s Kiln on the findings of the review and after establishing the company’s risk profile, the insurance policy will be drawn up. “The review firms up the facts that we’ve looked at it and believe in the position,” Hogg said. “The buck [then] stops with the insurance company.”
In its compliance review, OSRM uses its own Silhouette methodology. Egger said that OSRM’s approach to determining a company’s compliance differs from the compliance-assessment services already offered by the likes of Black Duck Software Inc. and Palamida Inc. “We’re not in competition with them,” he said. “They’re about the cut and pasting [of open-source software], we’re about the links [of open-source software] into a company’s software.”
License compliance can depend on what level a proprietary application is calling into or linking to an open-source piece of software, he added. The lower a link into, say, the kernel of the open-source Linux operating system, the more likely the potential for noncompliance with licenses.
Based on a customer’s risk profile, $10 million of coverage will cost about $200,000 in premiums on an annual basis, according to Hogg. If a customer’s risk profile is very straightforward, the premium could be less, if it’s more complex, it could be higher than $200,000, he said. Egger pointed out that some clients, especially smaller, venture-backed software companies, may not require as much as $10 million in coverage.
There will be some gray areas when assessing compliance, Egger said. For instance, one of the key areas being hotly debated in open-source circles is how licenses cover software distribution, particularly in relation to Web services. There will also be some borderline issues, he added. What some individuals may consider fine behavior in relation to using an open-source license, others may dispute. Kiln will take on those risks for policyholders, he said.
OSRM, Kiln and Miller have not been preselling the insurance policy, according to Egger, but he said he expects to announce the first customer for the policy shortly.
Over the next three to four years, Egger believes all Global 2000 companies will have very clear policies and procedures in place about how to deal with open-source software. At the moment, many companies are just starting to realize they may have a problem with open-source licenses and are beginning to educate their developers.
“It has been a long time coming,” Michael Goulde, senior analyst with Forrester Research Inc., said, alluding to the time OSRM has taken in finally going public with the insurance policy, first talking up the idea in March 2004. Egger admitted that finalizing the policy has proven a complicated undertaking.
“The policy is somewhat limited compared to the broader needs customers have to get assurance against any potential liabilities,” Goulde added in a recent phone interview. However, the policy will likely whet customers’ appetites for different types of insurance policies to cover their software.
The key thing is for OSRM and its partners to accurately explain to customers what the new policy will cover, Goulde said.