We noticed you're browsing in private or incognito mode.

To continue reading this article, please exit incognito mode or log in.

Not a subscriber? Subscribe now for unlimited access to online articles.

Business Impact

Get Hacked and Your Cybersecurity Company May Pay

A small but growing number of cybersecurity companies are introducing warranty programs that can serve as insurance against the cost of a potential data breach.

The hackers are winning, so the market for cybersecurity insurance is booming. Today businesses accept that they are likely to be breached no matter how much they spend on defenses, and they’ve begun looking for someone to share the cost. Pricing the risk is difficult, however (see “Insurers Scramble to Put a Price on a Cyber Catastrophe”). And that has created a new opportunity for security companies confident enough to warranty their products.

Companies will spend $7.5 billion on cybersecurity insurance in 2020 (up from an estimated $2.5 billion in 2015), according to a recent projection by PricewaterhouseCoopers. The ballooning market reflects how common cybercrime has become—and the fact that cybersecurity companies are not financially accountable when something goes wrong.

Jeremiah Grossman, chief of security strategy at SentinelOne, which sells antimalware systems, says that should change. To align its financial interests with its customers’, SentinelOne offers a warranty that puts the company on the hook for up to $1,000,000 if the customer falls victim to a ransomware attack, in which hackers break in and encrypt data before demanding a ransom to unlock it. Other cybersecurity startups, as well as big players like Symantec and McAfee, now similarly promise to pay up if their product or service fails.

Grossman says his 10-month-old warranty program has already given his company a leg up on its competitors.

Sign up for The Download
Your daily dose of what's up in emerging technology

It is too early to say whether cybersecurity warranties will amount to anything more than marketing ploys, says Steve Durbin, managing director of the Information Security Forum, a nonprofit organization that develops recommendations for the best way to manage information security risks. But some vendors have gathered valuable information by monitoring the performance of their products over the years, and that potentially puts them in a strong position to “plug a little bit of a gap” in the insurance market, he says.

In evaluating these risks, cybersecurity firms have an advantage over traditional insurance companies, because they have crucial data that can only come from analyzing real events like the data breaches they themselves have experienced. Traditional insurers, by contrast, are just beginning to assess the full risks of doing business in cyberspace.

That helps explain why insurers, including AIG, are getting behind these new warranty programs. (AIG declined to comment for this story.)

Grossman’s company has its own data on the risk that its system will miss a ransomware attack. Those numbers helped convince an established liability insurer (as part of the arrangement, SentinelOne does not reveal this company’s name publicly) to back its warranty.

Many of the data breaches we have seen could have been avoided if businesses had patched their systems adequately. For example, the WannaCry ransomware attack that began in May takes advantage of old, unpatched Microsoft operating systems. Companies that sign up for these programs will get a payout only if they follow proper security practices.

AsTech Consulting, whose service entails analyzing a business’s source code to identify vulnerabilities, working with the company to fix them, and training employees not to reintroduce them, recently began offering a guarantee that customers who follow the process and still suffer a breach will be compensated up to $1,000,000.

If a company’s risk is “measurably going down,” a result AsTech says its process has been shown to achieve over the past 20 years, that will attract insurance companies because they will better know and manage their risk, says CEO Greg Reber. “That’s a pretty good market.”

Keep up with the latest in cybersecurity at EmTech Digital.

The Countdown has begun.
March 25-26, 2019
San Francisco, CA

Register now
More from Business Impact

How technology advances are changing the economy and providing new opportunities in many industries.

Want more award-winning journalism? Subscribe to Print + All Access Digital.
  • Print + All Access Digital {! insider.prices.print_digital !}*

    {! insider.display.menuOptionsLabel !}

    The best of MIT Technology Review in print and online, plus unlimited access to our online archive, an ad-free web experience, discounts to MIT Technology Review events, and The Download delivered to your email in-box each weekday.

    See details+

    12-month subscription

    Unlimited access to all our daily online news and feature stories

    6 bi-monthly issues of print + digital magazine

    10% discount to MIT Technology Review events

    Access to entire PDF magazine archive dating back to 1899

    Ad-free website experience

    The Download: newsletter delivery each weekday to your inbox

    The MIT Technology Review App

You've read of three free articles this month. for unlimited online access. You've read of three free articles this month. for unlimited online access. This is your last free article this month. for unlimited online access. You've read all your free articles this month. for unlimited online access. You've read of three free articles this month. for more, or for unlimited online access. for two more free articles, or for unlimited online access.