Hacker Insurance -- A New Twist on Insuring Web Business Risks.
By: Robin Mejia, Analyst
"Think of our product as your insurance policy." How often have you heard
that line from a security vendor? Now, managed-security services provider
Counterpane can make that claim with reasonable accuracy. On July 10, 2000,
Counterpane announced a partnership with Lloyd's of London to offer
Internet Asset and Income Protection Coverage -- or "hacker insurance" --
to companies that use Counterpane's managed-security service; the
announcement has garnered significant coverage this week. Although this is
not the first example of insurance against web-related threats to a
company's bottom line, the marriage of managed services to insurance is new.
Several insurers have offered liability insurance for web- and
hacking-related damage, starting with InsureTrust in 1998. Because online
business is such a new insurable, no actuarial tables exist, so insurers
asses the risk of companies seeking coverage through security audits. They
often contract this audit with experienced security assessment firms, such
as SNCI, a subsidiary of Axent, which provides security audits for JS
Wurzler Underwriting Manager's web-site insurance and security program.
Others, such as InsureTrust, have grown their own team of security experts
to audit prospective clients. Once the insurer has qualified the company as
at least reasonably secure, it offers insurance premiums based on the
assessed risk level, and often provides information on areas where
companies could improve their security -- and thereby lower their premiums.
THE HURWITZ TAKE: Counterpane's agreement with Lloyd's of London offers a
new twist on this model. Lloyd's of London is using the adoption of
Counterpane's services as a measure of adequate protection in this new and
relatively unanalyzed area of risk. This is an excellent validation for
Counterpane, and the company also benefits because the ability to offer
insurance to any of its customers is a differentiator in the growing field
of managed security services -- i.e., "if you outsource security monitoring
to us, not only will we keep you secure, but if we don't, you get paid."
Counterpane's risk is also mitigated -- if its customers can collect for
damages in the event of a breach, perhaps they will be less likely to go
after their security provider.
An important question then is, with the limited budgets currently available
for security, how many companies will buy these offerings? In the short
term, the answer might be "a few." Counterpane's client base is already a
security conscious group -- its services aren't cheap -- and they are
likely to be willing to spend the extra on an insurance premium. However,
as more companies realize the extent of their financial stake in
maintaining web security -- and the difficulty in both quantifying and
mitigating the risks involved -- they will be more likely to want to
transfer that risk to a third party, and the market for web-liability
insurance will grow. In the long run, Hurwitz Group believes that
web-liability insurance will become as standard as building insurance.
Within five years or so, the insurance industry will also likely begin to
amass the data necessary to quantify these risks with more standard
statistical modeling and a more commonly understood baseline for acceptable
practices. Until then, however, insurance companies will continue to rely
on assessments by security consultants to help manage their risks. The fit
between insurers and managed-security service providers, with their
established expertise and practices, seems to be a particularly good one.
Hurwitz Group expects to see more agreements between them as the market
matures over the next three to nine months.