Commercial insurer, Chubb Corp. is offering an incentive to cyber insurance buyers that use a penetration testing tool to test for vulnerabilities in their environment.
The insurer has identified Core Security's Core Impact product and said it is offering a discount on insurance if companies buy and demonstrate the use of the automated tool. Warren, NJ-based Chubb said it is the first time an insurer has identified specific security software as essential to defend against data leakage.
"Traditionally pen testing has been something brought to senior people in an organization and their eyes would glaze over," said Jeffrey Cassidy, vice president of business development at Core.
Cassidy said Chubb's move highlight's the latest recommendations from the National Institute of Standards and Technology (NIST), whose latest version for the first time includes language calling penetration testing a best practice for cyber security defense.
Core's tool costs $30,000 for an unlimited license. The company says its priority has been to beef up the tool's automated features, making it easy to deploy and use by less technically savvy people.
"Chubb's cyber security business and our automated pen business have seen significant growth in recent years," Cassidy said. "We applaud and share the same goal that they do to try and reduce risks."
Chubb has been selling cyber insurance since 2001. Other insurers have followed, but the market has faced a number of hurdles, according to analysts. Experts say the lack of tangible data on data security risks has been an issue. Also, it's difficult for insurers to calculate and identify specific losses as a result of a cyber disruption, said Dan Blum, senior vice president and research analyst at Midvale, Utah-based Burton Group.
"From my vantage point it looks like cyber insurance is still not a major option for most organizations for most situations," Blum said. "There either doesn't tend to be enough coverage or the coverage seems too expensive and the big problem is actuarial."
IT security pros have had a difficult time calculating the annual rate of occurrences for the company's business unit. With estimates of only 20% of security incidence being reported, it doesn't give insurers or companies a solid baseline to figure out actual cost, Blum said.
"The servers and full time resources of IT are on the balance sheet but risk may not be on the balance sheet of some firms yet," Blum said. "Once we do a better job of risk assessments, there will be more opportunities for insuring the value that we track."
Tracy Vispoli, a vice president with Chubb's cyber security business, said Core was the first vendor selected to be part of the discount program, but other security vendors would be evaluated.
"It's an incentive for our customers to take a better look and understand what their vulnerabilities are," she said. "We're always looking for ways to give incentives to our customers to understand what their risks are and most importantly to demonstrate behavior that will mitigate their risk."
Vispoli acknowledged some obstacles for the cyber insurance industry. She said the market has matured in the last two years as companies better understand the cost and expenses associated with a breach.
"The public nature of security breaches has raised awareness across all levels of organizations and it shows that these threats are real and the cost is real," Vispoli said.
Vispoli acknowledged that issues remain in the reinsurance market, where insurance companies would seek protection against the risk of a major cyber security incident. But some firms are using cyber insurance to reduce some financial risk, she said. Financial institutions make up a large part of Chubb's customer base. The insurer is also seeing an increased interest from retailers, professional services firms and medical professions, such as hospitals and HMOs.
"It will be possibly ten years before reinsurers feel that they have accumulated enough data," she said.