Cyber insurance will not steal IT channel business, claims CFC Underwriting
CFC Underwriting claims the channel is wrong to expect cyber insurance growth to affect business
The channel needs to stop expecting the cyber insurance market to steal funds from IT budgets, according to insurance firm CFC Underwriting.
Cyber insurance has often been criticised by the UK IT channel in the past and was accused of being "not worth the paper it's written on" at a CRN summit in 2015.
After reading the report, CFC Underwriting's Graeme Newman defended the insurance industry and has told CRN that his firm has doubled its UK cyber security book over the last 12 months, driven by a combination of highly publicised data breaches and the imminent arrival of GDPR.
A report published by Allied Market Research at the end of last year predicted that the cyber insurance market will be worth $14bn (£11.3bn) by 2022 - nearly five times the current estimated market value of $3bn - and Newman claimed that the IT industry is scared that insurance firms will start to dictate what end users buy, in much the same way as they do when it comes to physical security.
"The first home insurance policies weren't created until a couple of hundred years ago and now it's at a tipping point where insurers start to dictate the locks on the doors and the types of alarms used," he said.
"That happens over a period of time and there is a nervousness within the IT security industry that that could be starting to happen, so in essence they might want to stop the growth of insurance.
"Actually, IT budgets and insurance budgets are very separate. It's a misperception that a pound spent on insurance is a pound not spent on risk management. They come out of two different budgets."
Ian Mann, CEO at security consultancy ECSC, claimed the cyber insurance market will grow as end users start to fear potential GDPR fines, but added that this growth might not necessarily involve the channel.
GDPR rules are set to come into force in May 2018, meaning firms can be fined up to €20m (£17m) or four per cent of their annual turnover if they are found to have been negligent with data protection.
"Virtually nobody has cyber security insurance," he said. "It"s a very small market and most people don't have it.
"That will change when the new legislation comes through with much bigger fines because it will be more on the radar of the company secretary.
"The interesting level could be if somebody wants to buy a package of security services that includes insurance.
"I think it would be interesting if [an end user] outsources their whole area of cyber security management, but normally you're getting different elements of your security from different providers so asking any one of them to insure that would be quite tricky."
Durgan Cooper, director of security and cyber risk at VAR Cetsat, said IT channel firms can help make cyber insurance a more effective option for end users by being actively involved in the early-stage policy writing.
"[Channel partners] have to be involved because the client invariably doesn't know their security posture and an insurance broker is an insurance broker," he said. "He or she is not a technical analyst who can go out and identify where you're at risk.
"When you go to a proposal form for a cyber insurance policy it asks you 'do you have a firewall?' It doesn't ask you 'what was the competency level of the installing engineer? What type of firewall was it? Was it a million-pound checkpoint or was it a £59 PC World special?'
"It's a bit of a blank canvas in that it's not specific even to a vendor, let alone a technology."