Cyber insurance: Channel friend or foe?

Should resellers be embracing cyber liability insurance or treating the phenomenon with suspicion as it threatens to go mainstream?

The growing buzz around cybersecurity insurance is polarising channel opinion, with some viewing it as a threat and others a lucrative sales opportunity.

Demand for cyber cover is rising rapidly as end users look to guard themselves against the potential fallout of a data breach.

According to one underwriter quoted in a Telegraph article this month, gross premiums in the sector are set to rise from $850m (￡496m) in 2012 to well over $2bn this year.

With security budgets being finite, it's easy to sympathise with fears that any firm moving to take out cover will be left with less to spend on actually bolstering their defences.

"You could see it as a threat [to the channel] as people may start saying that because they've got a decent security insurance policy in place, they don't care about security," said Mark Evans, UK country manager of security VAR Integrity.

According to a recent report by independent testing lab NSS Labs, insurance companies have so far struggled to determine the nature and extent of the actual cyber risks faced by each firm they insure.

The losses US retailer Target incurred as a result of its recent data breach were probably not covered by its $100m in cyber insurance, NSS said.

Perhaps unsurprisingly, 63 per cent of security professionals questioned at this year's Infosecurity Europe show in April by vendor AppRiver believed cyber liability insurers would not actually honour a claim if one were made.

Evans also expressed concerns about the clauses insurers would insert around non-payment.

"You'd have to do a full-blown risk assessment first, which would cost a lot of money in its own right," he cautioned.

Oliver Pinson-Roxburgh, systems engineering manager at security vendor Trustwave, shared Evans' reservations over whether taking out cyber insurance with an underwriter is the right approach.

"I wouldn't like [end users] to feel a false sense of security just because they have security protection," he said.

Cyber insurance may still be an immature sub-industry but Barrie Desmond, group marketing director at security distributor Exclusive Networks, said the channel should not view it as a threat and urged resellers to consider forging joint ventures in this area.

"I think the exact opposite - I think it will create a boom for resellers," he said. The imperative to take out cyber insurance - along with pending new EU guidelines and growing awareness over cybercrime - will prompt end users to spend more on security products and services than ever before, Desmond argued.

"When my car was broken into, I'd forgotten to lock the door and the insurance firm didn't want to pay out. Like in any situation, if you are reckless, you will not be paid, and insurers will be asking whether you have anti-virus, anti-spam, content filtering, IPS etc in place. You'll have to tick a lot of boxes and say you've got all that."

Desmond added: "This time next year, cyber insurance will be common. If I were a reseller, I would joint-venture with a business insurance broker and offer it as a segue into customers."

Specialist insurers are beginning to draw up policies where the cost of the premium is cut if their clients have in place certain IT security technologies, noted Ross Baker, UK sales and channel director at Trend Micro.

"Security is often talked about as a de facto insurance policy for organisations, but now it is being explicitly referenced by the insurance industry itself," Baker said. "This offers as-yet-unrealised possibilities for channel partners to team up with insurers and vendors to offer end customers a whole new kind of package.

"For resellers looking for that elusive ‘value-add' and those trying, but more often than not failing, to gain the ear of the CISO or CIO, this could be an interesting new opportunity. At the very least it could open the door to that all-important conversation with the C-level, maybe even the CFO, and differentiate you from the crowd."

Garry Sidaway, director of security strategy at NTT Com Security (pictured, right), said incidents such as the Sony data breach, where the victim has not been covered by their general insurance, demonstrates there is a market for specialist cyber insurance. But he cautioned that there is a lot of room for ambiguity in such a young market.

"The ambiguity is around what you're actually covering," he said. "Our clients are taking the approach that they want to put the right controls in place, reduce the risks where they can and then insure the bit they can't mitigate."