Insurance isn't exciting. It doesn't generate noteworthy buzz or media interest — and for most companies, insurance policies are signed, stored and then forgotten unless absolutely needed. But emerging IT security threats such as Shellshock and the recurring Backoff malware have prompted significant growth in the cyber insurance market.
Insurance for web application developers is one unique area of interest, but it comes with increased risk: What happens if an app doesn't perform as required, or if it allows a malicious actor through the gate? Here's how developers can protect their interests while keeping premiums low:
Lessons in Loss
At the time of its security breach, Target was covered under a number of cyber policies, each of which was on the hook for millions in claims. As a result, insurance firms are now starting to lock down expectations and limit claims if companies can't prove they follow standard security protocols. According to InsuranceNewsNet, cyber liability insurance is now as necessary for small businesses as property or liability insurance, since so much day-to-day activity is carried out online. From collecting personal data to filing financial reports or securely selling items, there's almost no part of a company that technology doesn't touch — and traditional insurance policies don't cover any of it.
Cyber insurance, meanwhile, provides monetary compensation for loss, and frequently offers other value-added services. For example, some providers handle customer complaints after a breach, cover social media slander or even pay for data recovery. And while it may appear that insurance firms are late to the technology party, they're quickly learning the rules: After breaches such as those that affected Target, Dairy Queen and Home Depot, contracts are tighter — and companies must do more to demonstrate that they're not putting data at undue risk.
Upswings and Uncertainty
According to Insurance Journal, the demand for cyber insurance is only increasing: It was up 21 percent in 2013 and showed no signs of slowing this year. But despite a widening variety of providers and an average corporate cost of $3.5 million per breach, insurance providers say that the greatest challenge in selling cyber insurance stems from companies' uncertainty that they need coverage at all. Forty percent of those surveyed said business clients still aren't sure they need this kind of insurance, while 29 percent believe they're covered by existing policies. Guess what? They're not.
The Developer Dilemma
So what does all this mean when it comes to insurance for web application developers? That it's understandable if they're on the fence. What's the real risk of breach? And if one happens, would an insurance company even cover the cost?
When it comes to risk, developers are more vulnerable than they realize. A recent Arxan survey found that 87 percent of the top paid iOS apps and 97 percent of the top paid Android apps have been hacked, repackaged and are now on sale as "legitimate." This puts app developers in the cross fire: What if enterprises using hacked versions of an app are compromised? If improperly coded, developers could be on the hook for millions lost. As a result, cyber insurance is a must.
But the insurance world has a simple rule: More risk, more money. This means insurance for web application developers is often expensive and narrow — and claims only make matters worse. It's possible to lower premiums, however, by following a few simple steps. The first is transparency, both when testing code security and during application releases. If insurance companies can track the development of an application from start to finish and are never "shut out" of the process, rates will improve. It's also critical to consider risk management. Just as insurance companies offer lower rates on homes with alarm systems and cars parked in locked garages, they're willing to compromise on premiums if developers can show that all the code they use — both in house and third party — undergoes regular vulnerability testing and remediation as required. While talking about "Agile testing" and "binary static analysis" won't mean anything to an insurance provider, there's real value in providing evidence that apps are part of a company-wide, cloud-based security process that leaves no line of code untested.
No business should be without cyber insurance, and that absolutely includes companies that rely on web application developers. With the right security backbone, it's possible to lower insurance rates, limit the chance of a claim and, in turn, charge clients the best possible rates for your bottom line. In a world where every second headline is about a new breach, companies are willing to pay for peace of mind.
Photo Source: Flickr