Cyber insurer hopes to boost business with pen testing

By Robert Westervelt, News Editor 04 Dec 2007 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Commercial insurer, Chubb Corp. is offering an incentive to cyber insurance buyers that use a penetration testing tool to test for vulnerabilities in their environment.

The public nature of security breaches has raised awareness across all levels of organizations and it shows that these threats are real and the cost is real. Tracy Vispoli, vice president, Chubb Corp.

The insurer has identified Core Security's Core Impact product and said it is offering a discount on insurance if companies buy and demonstrate the use of the automated tool. Warren, NJ-based Chubb said it is the first time an insurer has identified specific security software as essential to defend against data leakage.

"Traditionally pen testing has been something brought to senior people in an organization and their eyes would glaze over," said Jeffrey Cassidy, vice president of business development at Core.

Cassidy said Chubb's move highlight's the latest recommendations from the National Institute of Standards and Technology (NIST), whose latest version for the first time includes language calling penetration testing a best practice for cyber security defense.

Core's tool costs $30,000 for an unlimited license. The company says its priority has been to beef up the tool's automated features, making it easy to deploy and use by less technically savvy people.

"Chubb's cyber security business and our automated pen business have seen significant growth in recent years," Cassidy said. "We applaud and share the same goal that they do to try and reduce risks."

Pen testing: Digital doomsday can be avoided with preparation: The U.S. Cyber Consequences Unit says enterprises must take specific measures to shore up their defenses. Best practices for pen testing Web applications: Performing a Web application penetration test can gauge how well your Web application can withstand an attack. Core Security to offer Web application pen testing: Penetration testing vendor Core Security Technologies announced it will start offering testing for Web applications, which are becoming the number-one attack vector of choice.

Chubb has been selling cyber insurance since 2001. Other insurers have followed, but the market has faced a number of hurdles, according to analysts. Experts say the lack of tangible data on data security risks has been an issue. Also, it's difficult for insurers to calculate and identify specific losses as a result of a cyber disruption, said Dan Blum, senior vice president and research analyst at Midvale, Utah-based Burton Group.

"From my vantage point it looks like cyber insurance is still not a major option for most organizations for most situations," Blum said. "There either doesn't tend to be enough coverage or the coverage seems too expensive and the big problem is actuarial."

IT security pros have had a difficult time calculating the annual rate of occurrences for the company's business unit. With estimates of only 20% of security incidence being reported, it doesn't give insurers or companies a solid baseline to figure out actual cost, Blum said.

"The servers and full time resources of IT are on the balance sheet but risk may not be on the balance sheet of some firms yet," Blum said. "Once we do a better job of risk assessments, there will be more opportunities for insuring the value that we track."

Tracy Vispoli, a vice president with Chubb's cyber security business, said Core was the first vendor selected to be part of the discount program, but other security vendors would be evaluated.

"It's an incentive for our customers to take a better look and understand what their vulnerabilities are," she said. "We're always looking for ways to give incentives to our customers to understand what their risks are and most importantly to demonstrate behavior that will mitigate their risk."

Vispoli acknowledged some obstacles for the cyber insurance industry. She said the market has matured in the last two years as companies better understand the cost and expenses associated with a breach.

"The public nature of security breaches has raised awareness across all levels of organizations and it shows that these threats are real and the cost is real," Vispoli said.

Vispoli acknowledged that issues remain in the reinsurance market, where insurance companies would seek protection against the risk of a major cyber security incident. But some firms are using cyber insurance to reduce some financial risk, she said. Financial institutions make up a large part of Chubb's customer base. The insurer is also seeing an increased interest from retailers, professional services firms and medical professions, such as hospitals and HMOs.

"It will be possibly ten years before reinsurers feel that they have accumulated enough data," she said.

Tags: Security Testing and Ethical Hacking,  Security Industry Market Trends, Predictions and Forecasts,  Enterprise Risk Management: Metrics and Assessments,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Security Testing and Ethical Hacking Could Metasploit popularity erode? Metasploit Project acquired by vulnerability management firm Rapid7 Should management processes change based on a patch release schedule? Does an EULA make it truly illegal to decompile software? Screencast: BackTrack 4 offers an arsenal of penetration testing tools Security testing firm uncovers XML vulnerabilities Screencast: Samurai offers pen-testing nirvana The requirements needed to make an external penetration test legal McAfee to acquire Solidcore Systems for whitelisting The Pipe Dream of No More Free Bugs Security Industry Market Trends, Predictions and Forecasts M86 buys Web security gateway vendor Finjan Information Security Decisions 2009: Presentation downloads Bruce Schneier on outsourcing, awareness training Marcus Ranum on cyberwarfare, infosec careers McAfee survey finds faults in midmarket enterprise security Email archiving vendor sues Gartner over Magic Quadrant Information Security magazine October issue PDF Editor's Desk: Security 7 Winners Chronicle Trends That Shape The Industry Information Security magazine Security 7 Award winners Security Squad: Privacy gone awry Security Industry Market Trends, Predictions and Forecasts Research Enterprise Risk Management: Metrics and Assessments How to avoid Internet liability lawsuits Bruce Jones: Report Security and Risk Metrics in a Business-Friendly Way Bernie Rominski: Communicate Effectively with Management about Risk Best Policy and Risk Management Products Monitoring program data and internal controls for risk management Risk management strategy for an information technology solution provider Align your data protection efforts with GRC The basics of enterprise GRC project management RSA council addresses growing security risks in the cloud How to write a risk methodology that blends business, security needs Enterprise Risk Management: Metrics and Assessments Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Cyber Storm  (SearchSecurity.com) ethical hacker  (SearchSecurity.com) ethical worm  (SearchSecurity.com) gray hat  (SearchSecurity.com) honey pot  (SearchSecurity.com) honeynet  (SearchSecurity.com) war dialer  (SearchSecurity.com) white hat  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary