Insightful &
Helpful Articles

Here is what we're working on and
thinking at Hedgehog security.

There is a growth feel to the buzz and hype around "cybersecurity insurance" and the insurance industry is polarising opinion. Some see "cybersecurity insurance" and a threat while others see it is a lucrative sales opportunity.

Is it worth it?

Over the past 12 months, we have seen a rise in the demand for insurance cover, rising rapidly as end users look to guard themselves against the potential fallout of a data breach. An underwriter was quoted in The Telegraph this month stating gross premiums in the sector are set to rise from $850 million in 2012 to well over $2 billion this year.

Budgets are still finite in the current ecomonic climate despite claims that industry is growing more now than before the economic crisis. It is true to say that businesses are acutely aware of where they are spending valuable capital. Security budgets are a tiny proportion of many businesses overall Information Technology budget so it is easy to understand by businesses are taking out cover; the cover is far less than actually bolstering their defences.

According to a recent report by independent testing lab NSS Labs, insurance companies have so far struggled to determine the nature and extent of the actual cyber risks faced by each firm they insure. The losses US retailer Target incurred as a result of its recent data breach were probably not covered by its $100 million in cyber insurance, NSS said.

Perhaps unsurprisingly, 63 per cent of security professionals questioned this year's Infosecurity Europe show in April by vendor AppRiver believed cyber liability insurers would not actually honour a claim if one were made.

Evans also expressed concerns about the clauses insurers would insert around non-payment. "You?' have to do a full-blown risk assessment first, which would cost a lot of money in its own right," he cautioned.

Oliver Pinson-Roxburgh, systems engineering manager at security vendor Trustwave, shared Evans' reservations over whether taking out cyber insurance with an underwriter is the right approach.
"I wouldn't like [end users] to feel a false sense of security just because they have security protection," he said.

Cyber insurance may still be an immature sub-industry but Barrie Desmond, group marketing director at security distributor Exclusive Networks, said the channel should not view it as a threat and urged resellers to consider forging joint ventures in this area. "I think the exact opposite," I think it will create a boom for resellers, he said.

The imperative to take out cyber insurance, along with pending new EU guidelines and growing awareness over cybercrime, will prompt end users to spend more on security products and services than ever before, Desmond argued.

"When my car was broken into, I'd forgotten to lock the door and the insurance firm didn't want to pay out. Like in any situation, if you are reckless, you will not be paid, and insurers will be asking whether you have anti-virus, anti-spam, content filtering, IPS etc in place. You'll have to tick a lot of boxes and say you've got all that.?

Desmond added: "This time next year, cyber insurance will be common. If I were a reseller, I would joint-venture with a business insurance broker and offer it as a segue into customers."

Specialist insurers are beginning to draw up policies where the cost of the premium is cut if their clients have in place certain IT security technologies, noted Ross Baker, UK sales and channel director at Trend Micro.

"?Security is often talked about as a de facto insurance policy for organisations, but now it is being explicitly referenced by the insurance industry itself," Baker said. This offers as-yet-unrealised possibilities for channel partners to team up with insurers and vendors to offer end customers a whole new kind of package.

For resellers looking for that elusive "value-add" and those trying, but more often than not failing, to gain the ear of the CISO or CIO, this could be an interesting new opportunity. At the very least it could open the door to that all-important conversation with the C-level, maybe even the CFO, and differentiate you from the crowd.?

Garry Sidaway, director of security strategy at NTT Com Security, said incidents such as the Sony data breach, where the victim has not been covered by their general insurance, demonstrates there is a market for specialist cyber insurance. But he cautioned that there is a lot of room for ambiguity in such a young market.

"The ambiguity is around what you're actually covering," he said. "Our clients are taking the approach that they want to put the right controls in place, reduce the risks where they can and then insure the bit they can't mitigate."