2

I recently attended a general IT conference and saw some interesting vendors of various products and services. One of them was a company providing hacking insurance, and they said that there were two business models that they operate on:

  1. Liability insurance model: this is where they insure the providers of services such as penetration testing or data security against their clients suing them when there is a security breach. Apparently this is the main business in the US.
  2. Loss of data/asset model: this is where they insure small to medium businesses against loss of company productivity, assets or client information when there is a security breach.

I was wondering what the impact of these services on the information security industry. Is this going to make people more aware of information security, will it make people less vigilant because there is some insurance against bad events, or perhaps it won't change anything at all?

The interesting thing about the business model is that for the loss of data/asset model they don't assess the client for their level of security infrastructure and process, which is rather interesting because it means that they are happy to insure people regardless of the risk of having to make a pay-out (presumably because they are trying to attract customers and they are not going after large enterprise or corporate clients). I suppose once they get enough clients and lots of claims come through then they might have to have an internal assessment team or outsource this capability to other firms.

Michael Lai
  • 281
  • 2
  • 6

2 Answers2

4

If you have a car insurance you will pay more if you have a more expensive car. Also young and inexperienced drivers will pay more because the risk with them is higher.

The same is with such hacking insurance: this price depends on what needs to be covered and how much the risk of hacking is. The risk of hacking or at least the costs associated with a hack can be reduced by using established security strategies, i.e. backups, training, firewalls, breach detection, audits .... Thus if you invest more for security you pay less for the insurance. In fact most insurances will probably do not offer you a hacking insurance at all if you do not already have adequate security measures in place because in this case the risk would simply be to incalculable. And they will reduce payment in case of hacking attacks if you failed to keep your security up-to-date.

This means that I consider such insurances will be a good thing which will help to improve the security.

Steffen Ullrich
  • 201,479
  • 30
  • 402
  • 465
1

The insurance companies will compete for startups like credit companies compete for consumers. As long as startups are smaller than enterprise companies, insuring them will always be cheaper. Eventually, some startups will grow into enterprise companies. Then, the insurance companies, who have been insuring the startups all along, raise their prices. After all, every company has insurance now, even startups!

formicophobia
  • 515
  • 4
  • 9
  • I don't think that you answered the OP's question: Is this going to make people more aware of information security, will it make people less vigilant because there is some insurance against bad events, or perhaps it won't change anything at all? – Neil Smithline May 13 '16 at 18:42