Skip to Content

Get Hacked and Your Cybersecurity Company May Pay

A small but growing number of cybersecurity companies are introducing warranty programs that can serve as insurance against the cost of a potential data breach.
June 26, 2017

The hackers are winning, so the market for cybersecurity insurance is booming. Today businesses accept that they are likely to be breached no matter how much they spend on defenses, and they’ve begun looking for someone to share the cost. Pricing the risk is difficult, however (see “Insurers Scramble to Put a Price on a Cyber Catastrophe”). And that has created a new opportunity for security companies confident enough to warranty their products.

Companies will spend $7.5 billion on cybersecurity insurance in 2020 (up from an estimated $2.5 billion in 2015), according to a recent projection by PricewaterhouseCoopers. The ballooning market reflects how common cybercrime has become—and the fact that cybersecurity companies are not financially accountable when something goes wrong.

Jeremiah Grossman, chief of security strategy at SentinelOne, which sells antimalware systems, says that should change. To align its financial interests with its customers’, SentinelOne offers a warranty that puts the company on the hook for up to $1,000,000 if the customer falls victim to a ransomware attack, in which hackers break in and encrypt data before demanding a ransom to unlock it. Other cybersecurity startups, as well as big players like Symantec and McAfee, now similarly promise to pay up if their product or service fails.

Grossman says his 10-month-old warranty program has already given his company a leg up on its competitors.

It is too early to say whether cybersecurity warranties will amount to anything more than marketing ploys, says Steve Durbin, managing director of the Information Security Forum, a nonprofit organization that develops recommendations for the best way to manage information security risks. But some vendors have gathered valuable information by monitoring the performance of their products over the years, and that potentially puts them in a strong position to “plug a little bit of a gap” in the insurance market, he says.

In evaluating these risks, cybersecurity firms have an advantage over traditional insurance companies, because they have crucial data that can only come from analyzing real events like the data breaches they themselves have experienced. Traditional insurers, by contrast, are just beginning to assess the full risks of doing business in cyberspace.

That helps explain why insurers, including AIG, are getting behind these new warranty programs. (AIG declined to comment for this story.)

Grossman’s company has its own data on the risk that its system will miss a ransomware attack. Those numbers helped convince an established liability insurer (as part of the arrangement, SentinelOne does not reveal this company’s name publicly) to back its warranty.

Many of the data breaches we have seen could have been avoided if businesses had patched their systems adequately. For example, the WannaCry ransomware attack that began in May takes advantage of old, unpatched Microsoft operating systems. Companies that sign up for these programs will get a payout only if they follow proper security practices.

AsTech Consulting, whose service entails analyzing a business’s source code to identify vulnerabilities, working with the company to fix them, and training employees not to reintroduce them, recently began offering a guarantee that customers who follow the process and still suffer a breach will be compensated up to $1,000,000.

If a company’s risk is “measurably going down,” a result AsTech says its process has been shown to achieve over the past 20 years, that will attract insurance companies because they will better know and manage their risk, says CEO Greg Reber. “That’s a pretty good market.”

Keep Reading

Most Popular

Large language models can do jaw-dropping things. But nobody knows exactly why.

And that's a problem. Figuring it out is one of the biggest scientific puzzles of our time and a crucial step towards controlling more powerful future models.

OpenAI teases an amazing new generative video model called Sora

The firm is sharing Sora with a small group of safety testers but the rest of us will have to wait to learn more.

Google’s Gemini is now in everything. Here’s how you can try it out.

Gmail, Docs, and more will now come with Gemini baked in. But Europeans will have to wait before they can download the app.

This baby with a head camera helped teach an AI how kids learn language

A neural network trained on the experiences of a single young child managed to learn one of the core components of language: how to match words to the objects they represent.

Stay connected

Illustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at customer-service@technologyreview.com with a list of newsletters you’d like to receive.