Cyberinsurance: Money for Nothing?

Cyberinsurance may be the hot product in the insurance industry now, but many CSOs are wondering whether it’s worth the money. Most reputable insurers now require that policyholders undergo a security assessment of their IT assets by a managed security services provider (MSSP). “We want a tangible sense of what you’re doing in terms of putting in intrusion detection systems, firewalls and business continuity planning,” says Peter Foster, senior vice president of the risk practice at Marsh.

MSSP’s consultants will analyze and measure a company’s level of IT security against some objective standard, usually the International Standards Organization 17799 or British 7799 standards. While total adherence to those standards isn’t expected, companies that measure up will get discounted premiums and better terms on their policies, says Ty Sagalow, COO and executive vice president at American International Group eBusiness Risk Solutions. In addition, companies that outsource security services to an MSSP can receive discounts on their premiums, according to both Sagalow and Foster. Marsh offers customers using an MSSP a discount of up to 20 percent on their annual premiums, which range from $7,000 to $25,000 per year for each million dollars of coverage, Foster says. With costs that high, any reduction in premiums can make a huge difference to a company’s cost of business, which is spurring interest in MSSPs, according to Paul Brady, president and COO of Guardent.

But cyberinsurance is still a tough sell for most companies when weighed against the costs of acquiring it, says John Pescatore, research director at Gartner. “The problem is that it’s hard to define the benefits of cyberinsurance, but the terms of cyberinsurance policies are expensive,” he says.

Attitudes and buying behavior might change if large corporations and procurers, such as the federal government, began requiring suppliers to have cyberinsurance, Pescatore says.