Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

2/9/2018
01:00 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

Cyber Warranties: What to Know, What to Ask

The drivers and details behind the growth of cyber warranties, which more businesses are using to guarantee their products.

Solutions providers have started to adopt cyber warranties to stand by the effectiveness of their products and services. As more providers enter the market, warranties could give adopters an edge when selling to a growing pool of security-savvy customers.

"One of the things I came to realize when I was running WhiteHat [Security] is, information security is full of snake oil and lies and deceptions and things like that," says Jeremiah Grossman, founder of WhiteHat Security and current chief of security strategy at SentinelOne.

At the time, customers had to navigate marketing and buzzwords from different vendors, most of which weren't willing to stand by their claims to, for example, block APTs and SQL injections. As Grossman puts it, there was nothing he could say, do, or build that competitors couldn't say they did too -- even if they were lying about it.

The challenge drove him to pioneer the concept of cyber warranties, which make solution providers liable for their products and force them to put substance behind their claims.

It started out as a "very novel, very controversial concept," Grossman says of the early stages. "Nobody wants to make themselves liable or accountable in infosec." A couple of years ago, nobody was offering warranties. Now, he notes, the trend is moving in the right direction. SentinelOne's Ransomware Cyber Warranty offers up to $1M in ransomware protection.

What cyber warranties do

Here, it's important to note the difference between cyber warranties and cyber insurance.

Cyber insurance covers defense costs, settlements, and first-party breach response expenses. It covers customers' data breach actions or outcomes, such as compromised paper files or lost devices. Coverage kicks in if a covered incident occurs and is reported during a policy period.

A cyber warranty is for all services provided by a solutions provider to their customer base. It covers the cost to re-perform services associated with the system update following an external data breach caused by a vendor's product, explains Matt Kletzli, management liability leader at Schinnerer, which recently launched a warranty for tech solutions providers.

Schinnerer, an underwriting manager, teamed up with Guidewire, which builds software for the property and casualty (P&C) insurance industry. Its Cyber Warranty uses Cyence, a risk analytics tool from Guidewire, to gauge the risk of vendors' customers so they can customize strategies. The warranty is for small and mid-size solutions providers making $40M maximum each year.

"What we're doing is providing the solutions providers with a tangible contractual agreement with every one of their clients where they have a service agreement in place," says Kletzli. In the remediation of a breach that requires reporting to regulators, the warranty will let solutions providers re-perform services that gave rise to the breach, he continues.

What vendors and customers need to know

"All vendors need to know is how well their product works under a given set of circumstances," Grossman explains. While nobody can guarantee 100% effective security, they can conduct internal testing to learn the effectiveness of their products and likelihood of claims.

He points to the example of SentinelOne, which tested the likelihood of devices being infected with ransomware over the course of a year when protected with its ransomware product. The infection rate turned out to be 1%, which the company could use to stand by its effectiveness.

Grossman is also an advocate for warranty providers to re-insure their warranties so customers can be confident their vendors will be able to make good on their promises, he adds.

Cyber warranties help set vendors apart at a time when it's getting harder to stand out in the market. "When you're a solutions provider, it gets very difficult to differentiate by saying 'I'm a high-level product with X product manufacturer,'" says Ryan McKinney, business development leader for Guidewire's Cyence Risk Analytics.

When buying a product or service, businesses should ask if the vendor will consider offering a warranty. "Ask for the fine print," Grossman says. "Some warranties out there are really good; some are really not."

"The repercussions of a cyber breach are widespread and in my opinion, are also at this point unbound," says Setu Kulknarni, VP of product and corporate strategy at WhiteHat. Buying a product with a warranty is one way to mitigate the risk, he explains.

Every application is unique, he continues, and there is no common baseline to dictate which types of apps should be protected in different ways. "How you use the software should also dictate what kind of cyber warranties you get," he notes. If you're not using software with the right configuration, for example, the warranty claims might be different.

Related Content:

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7759
PUBLISHED: 2020-10-30
The package pimcore/pimcore from 6.7.2 and before 6.8.3 are vulnerable to SQL Injection in data classification functionality in ClassificationstoreController. This can be exploited by sending a specifically-crafted input in the relationIds parameter as demonstrated by the following request: http://v...
CVE-2020-7760
PUBLISHED: 2020-10-30
This affects the package codemirror before 5.58.2; the package org.apache.marmotta.webjars:codemirror before 5.58.2. The vulnerable regular expression is located in https://github.com/codemirror/CodeMirror/blob/cdb228ac736369c685865b122b736cd0d397836c/mode/javascript/javascript.jsL129. The ReDOS vu...
CVE-2020-27014
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains a race condition vulnerability in the Web Threat Protection Blocklist component, that if exploited, could allow an attacker to case a kernel panic or crash. An attacker must first obtain the ability to execute high-privileged code on the targ...
CVE-2020-27015
PUBLISHED: 2020-10-30
Trend Micro Antivirus for Mac 2020 (Consumer) contains an Error Message Information Disclosure vulnerability that if exploited, could allow kernel pointers and debug messages to leak to userland. An attacker must first obtain the ability to execute high-privi...
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...