Is Cyber Insurance a Channel Threat or Opportunity?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://channelnomics.com/2014/07/24/cyber-insurance-channel-threat-opportunity/#.U9FBgPldVjI

The growing buzz around cybersecurity insurance is polarising channel
opinion, with some viewing it as a threat and others a lucrative sales
opportunity.

Demand for cyber cover is rising rapidly as end users look to guard
themselves against the potential fallout of a data breach.

According to one underwriter quoted in UK newspaper The Telegraph this
month, gross premiums in the sector are set to rise from $850 million in
2012 to well over $2 billion this year.

With security budgets being finite, it’s easy to sympathise with fears that
any firm moving to take out cover will be left with less to spend on
actually bolstering their defences.

“You could see it as a threat [to the channel] as people may start saying
that because they’ve got a decent security insurance policy in place, they
don’t care about security,” said Mark Evans, UK country manager of security
VAR Integrity.

According to a recent report by independent testing lab NSS Labs, insurance
companies have so far struggled to determine the nature and extent of the
actual cyber risks faced by each firm they insure. The losses US retailer
Target incurred as a result of its recent data breach were probably not
covered by its $100 million in cyber insurance, NSS said.

Perhaps unsurprisingly, 63 percent of security professionals questioned at
this year’s Infosecurity Europe show in April by vendor AppRiver believed
cyber liability insurers would not actually honour a claim if one were made.

Evans also expressed concerns about the clauses insurers would insert
around non-payment.

“You’d have to do a full-blown risk assessment first, which would cost a
lot of money in its own right,” he cautioned.

Oliver Pinson-Roxburgh, systems engineering manager at security vendor
Trustwave, shared Evans’ reservations over whether taking out cyber
insurance with an underwriter is the right approach.

“I wouldn’t like [end users] to feel a false sense of security just because
they have security protection,” he said.

Cyber insurance may still be an immature sub-industry but Barrie Desmond,
group marketing director at security distributor Exclusive Networks, said
the channel should not view it as a threat and urged resellers to consider
forging joint ventures in this area.

“I think the exact opposite – I think it will create a boom for resellers,”
he said.

The imperative to take out cyber insurance – along with pending new EU
guidelines and growing awareness over cybercrime – will prompt end users to
spend more on security products and services than ever before, Desmond
argued.

“When my car was broken into, I’d forgotten to lock the door and the
insurance firm didn’t want to pay out. Like in any situation, if you are
reckless, you will not be paid, and insurers will be asking whether you
have anti-virus, anti-spam, content filtering, IPS etc in place. You’ll
have to tick a lot of boxes and say you’ve got all that.”

Desmond added: “This time next year, cyber insurance will be common. If I
were a reseller, I would joint-venture with a business insurance broker and
offer it as a segue into customers.”

Specialist insurers are beginning to draw up policies where the cost of the
premium is cut if their clients have in place certain IT security
technologies, noted Ross Baker, UK sales and channel director at Trend
Micro.

“Security is often talked about as a de facto insurance policy for
organisations, but now it is being explicitly referenced by the insurance
industry itself,” Baker said. “This offers as-yet-unrealised possibilities
for channel partners to team up with insurers and vendors to offer end
customers a whole new kind of package.

“For resellers looking for that elusive ‘value-add’ and those trying, but
more often than not failing, to gain the ear of the
CISO or CIO, this could be an interesting new opportunity. At the very
least it could open the door to that all-important conversation with the
C-level, maybe even the CFO, and differentiate you from the crowd.”

Garry Sidaway, director of security strategy at NTT Com Security, said
incidents such as the Sony data breach, where the victim has not been
covered by their general insurance, demonstrates there is a market for
specialist cyber insurance. But he cautioned that there is a lot of room
for ambiguity in such a young market.

“The ambiguity is around what you’re actually covering,” he said. “Our
clients are taking the approach that they want to put the right controls in
place, reduce the risks where they can and then insure the bit they can’t
mitigate.”

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!