Calls for Security Vendors to Guarantee Products

Insurance is an increasingly important option for cyber defense — but a new survey shows a remarkable difference in attitude between different geographical areas. Against an overall average of 72%, only 49% of UK companies have a cyber insurance policy in place; despite London’s dominant position in world insurance and reinsurance.

In a recent survey by Vanson Bourne for SentinelOne, details published Tuesday show the US as the most insurance-conscious area, with 83% of organizations already cyber insured. 

A total of 500 organizations were questioned: 200 in the US, and 100 in each of the UK, Germany and France. The UK is also the least likely to implement cyber insurance in the future. While 7% of French organizations, 3% of US organizations and only 2% of German organizations have no plans to implement cyber insurance, fully 20% of UK companies take the same attitude.

SentinelOne believes that cyber insurance is important now and will be even more important in the future. Chief security consultant Tony Rowan told SecurityWeek that increasing regulatory pressure and fines would force business to look closely at cyber insurance. The survey shows this is already beginning, where the impending EU GDPR regulations and the threat of fines of up to €20 million or 4 per cent of turnover is causing another 52% of those that don’t currently have insurance to investigate the possibility.

SentinelOne offers a variation on the insurance theme: it guarantees against customers’ loss through ransomware, and uses the insurance market to underwrite the guarantee.

“We’re proud to have been the first,” said Rowan, “and still only, next generation endpoint protection company to launch a cyber security guarantee with our $1,000 per endpoint, or $1 million per company pay out in the event they experience a ransomware attack after installing our product.”

A few other companies are now offering their own guarantees, such as Cymmetria, Trusona and WhiteHat Security — but Rowan told SecurityWeek that he would like to see all security vendors guaranteeing their own performance. “It is anomalous that if I buy a washing machine and it doesn’t do what it is supposed to do, I can take it back. But if I buy software that doesn’t do what it is supposed to do, then the best I can hope for is a patch; which doesn’t seem fair, does it?”

He fears however, that not all security vendors could provide a guarantee. “I suspect the difficulty for some vendors would be getting the insurance companies to underwrite them;” although this is really an admission that some security products are just not good enough.

Two processes could force vendors to offer guarantees. The first would be legislative insistence. Governments generally shy away from such steps citing jurisdictional problems and the fear of stifling innovation. But Rowan counters, “Many other industries manage pretty well, even those where stringent regulations are already in place. So it shouldn’t stop innovation completely.”

The second process would be customer pressure. As more and more vendors begin to offer guarantees, there will be pressure for all vendors to follow suit, or simply be ignored by customers.

However, until such time as vendors do guarantee their products, cyber insurance remains an attractive if not the only option. In such cases it is important that organizations read the small print to understand exactly where they are covered and where they are not covered — and again the survey shows strong geographical differences. For example, asked about costs met by insurers for a ransomware attack, 86% had compliance and regulatory requirements covered in the UK, and 88% in Germany. This compared to 72% in the US and only 46% in France.

Legal costs were different, although Germany again scored highly with 63%. The US returned 59% and France 46%; but only 14% of insurers covered legal costs caused by a ransomware attack in the UK.

The global cyber insurance market is expected to generate $14 billion by 2022, according to a new report from Allied Market Research (AMR). That figure represents an impressive compound annual growth rate (CAGR) of nearly 28% from 2016 to 2022. By comparison, a report (PDF) from PwC estimates that annual gross written premiums are set to increase from around $2.5 billion in 2015 to $7.5 billion by 2020.

Related: The Hidden Strategic Advantage in Cyber Insurance

Related: Cyber Insurance: Security Tool or Hype?