CFC Underwriting hits back at claims that cyber-liability insurance 'not worth paper it's written on'
Remarks made during a CRN debate that cyber-insurance is "not worth the paper it's written on" have been blasted by an insurer working in that part of the market.
Reseller bosses came out strongly against cyber-liability insurance during a panel session at the recent CRN/Channelnomics Online Security Summit, which you can register to view here.
Marty Legg, cloud services director at SecureData, branded cyber-insurance – a market now estimated to be worth well over $2bn (£1.3bn) annually – an "immature way" of dealing with cyberthreats. Meanwhile, Garry Sidaway, senior vice president of security strategy at NTT Com Security, dismissed it as "not worth the paper it's written on". Sidaway has since expanded on his viewpoint in an opinion piece for CRN.
Graeme Newman, director of CFC Underwriting, which bills itself as a pioneer of this class of insurance in the London market, got in touch with CRN to say he was "gobsmacked" by the comments, which he read in our original story.
"I find the comments by Garry and Marty somewhat disturbing," he said.
"Would the providers of home alarm and security systems tell their customers not to purchase home insurance? Their equivalent argument would be that home insurance just pays for your financial loss but can do nothing to replace the sentimental value of lost items."
Newman (pictured below) added: "It doesn't matter whether you're covering cyber-risks, physical property or general liability – neither risk management nor insurance work in isolation, nor does one substitute the other. There is no way that the cyber-insurance market would come out and say 'don't buy any security technology, just get yourself a cheap insurance policy'. It is obvious to all involved that insurance is not seen as a substitute for risk management, but the two are designed to go hand in hand."
These views do not appear to be entirely inconsistent with Sidaway's, however, with the NTT Com Security chief arguing in his comment piece this week that insurance should never be considered "without having a robust strategy for preventing security breaches in the first instance".
Lior Arbel, chief technology officer at Performanta Ltd, another IT security consultancy, also had reservations about the growing use of cyber-insurance, saying it "ignores that the damage from a cyberattack goes far beyond specific infrastructure or hardware damages".
"The full effect of a cybersecurity attack could involve not only the loss of precious data, and the loss of trust, but also result in irreparable reputational damage with customers. Priority for budget must therefore be in technologies and strategies to prevent the cyberattack in the first place," Arbel said.
During the CRN debate, Legg described cyber-insurance as an "interesting new shoot" of how firms deal with cyberthreats, but argued it is a "very odd way of dealing with it".
"It's not particularly expensive and they feel all of a sudden I've got another tick in the box," he said. "But I feel it is an immature way of dealing with it. But I don't underestimate it..."
Sidaway then chimed in, demanding "you ask Sony about cyber-insurance!", arguing that, unlike car insurance, it is tough to quantify what exactly is being covered.
"So for me, it's a difficult one to justify," he said. "I understand why people are going that way but when it comes to a breach, or an incident, it's really not worth the paper it's written on."