By: Robin Mejia, Analyst

"Think of our product as your insurance policy." How often have you heard

that line from a security vendor? Now, managed-security services provider

Counterpane can make that claim with reasonable accuracy. On July 10, 2000,

Counterpane announced a partnership with Lloyd's of London to offer

Internet Asset and Income Protection Coverage -- or "hacker insurance" --

to companies that use Counterpane's managed-security service; the

announcement has garnered significant coverage this week. Although this is

not the first example of insurance against web-related threats to a

company's bottom line, the marriage of managed services to insurance is new.

Several insurers have offered liability insurance for web- and

hacking-related damage, starting with InsureTrust in 1998. Because online

business is such a new insurable, no actuarial tables exist, so insurers

asses the risk of companies seeking coverage through security audits. They

often contract this audit with experienced security assessment firms, such

as SNCI, a subsidiary of Axent, which provides security audits for JS

Wurzler Underwriting Manager's web-site insurance and security program.

Others, such as InsureTrust, have grown their own team of security experts

to audit prospective clients. Once the insurer has qualified the company as

at least reasonably secure, it offers insurance premiums based on the

assessed risk level, and often provides information on areas where

companies could improve their security -- and thereby lower their premiums.

THE HURWITZ TAKE: Counterpane's agreement with Lloyd's of London offers a

new twist on this model. Lloyd's of London is using the adoption of

Counterpane's services as a measure of adequate protection in this new and

relatively unanalyzed area of risk. This is an excellent validation for

Counterpane, and the company also benefits because the ability to offer

insurance to any of its customers is a differentiator in the growing field

of managed security services -- i.e., "if you outsource security monitoring

to us, not only will we keep you secure, but if we don't, you get paid."

Counterpane's risk is also mitigated -- if its customers can collect for

damages in the event of a breach, perhaps they will be less likely to go

after their security provider.

An important question then is, with the limited budgets currently available

for security, how many companies will buy these offerings? In the short

term, the answer might be "a few." Counterpane's client base is already a

security conscious group -- its services aren't cheap -- and they are

likely to be willing to spend the extra on an insurance premium. However,

as more companies realize the extent of their financial stake in

maintaining web security -- and the difficulty in both quantifying and

mitigating the risks involved -- they will be more likely to want to

transfer that risk to a third party, and the market for web-liability

insurance will grow. In the long run, Hurwitz Group believes that

web-liability insurance will become as standard as building insurance.

Within five years or so, the insurance industry will also likely begin to

amass the data necessary to quantify these risks with more standard

statistical modeling and a more commonly understood baseline for acceptable

practices. Until then, however, insurance companies will continue to rely

on assessments by security consultants to help manage their risks. The fit

between insurers and managed-security service providers, with their

established expertise and practices, seems to be a particularly good one.

Hurwitz Group expects to see more agreements between them as the market

matures over the next three to nine months.