Hacker Insurance -- A New Twist on Insuring Web Business Risks

"Think of our product as your insurance policy." How often have you heard that line from a security vendor? Now, managed-security services provider Counterpane can make that claim with reasonable accuracy. On July 10, 2000, Counterpane announced a partnership with Lloyd's of London to offer Internet Asset and Income Protection Coverage

or "hacker insurance" to companies that use Counterpane's managed-security service; the announcement has garnered significant coverage this week. Although this is not the first example of insurance against web-related threats to a company's bottom line, the marriage of managed services to insurance is new.

Several insurers have offered liability insurance for web- and hacking-related damage, starting with InsureTrust in 1998. Because online business is such a new insurable, no actuarial tables exist, so insurers asses the risk of companies seeking coverage through security audits. They often contract this audit with experienced security assessment firms, such as SNCI, a subsidiary of Axent, which provides security audits for JS Wurzler Underwriting Manager's web-site insurance and security program. Others, such as InsureTrust, have grown their own team of security experts to audit prospective clients. Once the insurer has qualified the company as at least reasonably secure, it offers insurance premiums based on the assessed risk level, and often provides information on areas where companies could improve their security and thereby lower their premiums.

THE HURWITZ TAKE: i.e., "if you outsource security monitoring to us, not only will we keep you secure, but if we don't, you get paid." Counterpane's risk is also mitigated if its customers can collect for damages in the event of a breach, perhaps they will be less likely to go after their security provider.

Counterpane's agreement with Lloyd's of London offers a new twist on this model. Lloyd's of London is using the adoption of Counterpane's services as a measure of adequate protection in this new and relatively unanalyzed area of risk. This is an excellent validation for Counterpane, and the company also benefits because the ability to offer insurance to any of its customers is a differentiator in the growing field of managed security services

An important question then is, with the limited budgets currently available for security, how many companies will buy these offerings? In the short term, the answer might be "a few." Counterpane's client base is already a security conscious group its services aren't cheap and they are likely to be willing to spend the extra on an insurance premium. However, as more companies realize the extent of their financial stake in maintaining web security and the difficulty in both quantifying and mitigating the risks involved they will be more likely to want to transfer that risk to a third party, and the market for web-liability insurance will grow. In the long run, Hurwitz Group believes that web-liability insurance will become as standard as building insurance.

Within five years or so, the insurance industry will also likely begin to amass the data necessary to quantify these risks with more standard statistical modeling and a more commonly understood baseline for acceptable practices. Until then, however, insurance companies will continue to rely on assessments by security consultants to help manage their risks. The fit between insurers and managed-security service providers, with their established expertise and practices, seems to be a particularly good one. Hurwitz Group expects to see more agreements between them as the market matures over the next three to nine months.

Copyright © 2000 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)