The hackers are winning, so the market for cybersecurity insurance is booming. Today businesses accept that they are likely to be breached no matter how much they spend on defenses, and they’ve begun looking for someone to share the cost. Pricing the risk is difficult, however (see “Insurers Scramble to Put a Price on a Cyber Catastrophe”). And that has created a new opportunity for security companies confident enough to warranty their products.
Companies will spend $7.5 billion on cybersecurity insurance in 2020 (up from an estimated $2.5 billion in 2015), according to a recent projection by PricewaterhouseCoopers. The ballooning market reflects how common cybercrime has become—and the fact that cybersecurity companies are not financially accountable when something goes wrong.
Jeremiah Grossman, chief of security strategy at SentinelOne, which sells antimalware systems, says that should change. To align its financial interests with its customers’, SentinelOne offers a warranty that puts the company on the hook for up to $1,000,000 if the customer falls victim to a ransomware attack, in which hackers break in and encrypt data before demanding a ransom to unlock it. Other cybersecurity startups, as well as big players like Symantec and McAfee, now similarly promise to pay up if their product or service fails.
Grossman says his 10-month-old warranty program has already given his company a leg up on its competitors.
It is too early to say whether cybersecurity warranties will amount to anything more than marketing ploys, says Steve Durbin, managing director of the Information Security Forum, a nonprofit organization that develops recommendations for the best way to manage information security risks. But some vendors have gathered valuable information by monitoring the performance of their products over the years, and that potentially puts them in a strong position to “plug a little bit of a gap” in the insurance market, he says.
In evaluating these risks, cybersecurity firms have an advantage over traditional insurance companies, because they have crucial data that can only come from analyzing real events like the data breaches they themselves have experienced. Traditional insurers, by contrast, are just beginning to assess the full risks of doing business in cyberspace.
That helps explain why insurers, including AIG, are getting behind these new warranty programs. (AIG declined to comment for this story.)
Grossman’s company has its own data on the risk that its system will miss a ransomware attack. Those numbers helped convince an established liability insurer (as part of the arrangement, SentinelOne does not reveal this company’s name publicly) to back its warranty.
Many of the data breaches we have seen could have been avoided if businesses had patched their systems adequately. For example, the WannaCry ransomware attack that began in May takes advantage of old, unpatched Microsoft operating systems. Companies that sign up for these programs will get a payout only if they follow proper security practices.
AsTech Consulting, whose service entails analyzing a business’s source code to identify vulnerabilities, working with the company to fix them, and training employees not to reintroduce them, recently began offering a guarantee that customers who follow the process and still suffer a breach will be compensated up to $1,000,000.
If a company’s risk is “measurably going down,” a result AsTech says its process has been shown to achieve over the past 20 years, that will attract insurance companies because they will better know and manage their risk, says CEO Greg Reber. “That’s a pretty good market.”