At a time when data breaches seem to be reported every other day, and vendors constantly warn customers about the threat from cyber-criminals is real and growing, should end-user organisations look to security warranties and insurance for protection?
The cost of breaches
Crowdstrike made waves in June when it announced a $1 million “breach prevention warranty” as part of its Falcon Endpoint Protection Complete product.
The cyber-security vendor partnered with insurer AIG to bundle insurance with the product, at no extra charge, to cover “the costs incurred while responding to a data breach in the protected environment, including incident response, legal fees, notification,credit monitoring, forensic investigation and public communications expenses”.
The costs of responding to a security breach can be substantial. According to the 2018 Cost of a Data Breach Study by Ponemon Institute, the mean time to identify a data breach was 197 days, while the mean time to contain a breach was 69 days. Containing a breach within 30 days saved companies an average of over US$1 million compared to those who took more than 30 days to resolve a breach.
Crowdstrike partnered with underwriter AIG to set up the warranty, partly to provide confidence to customers.
“We’re trying to let our customers know that they can feel comfortable placing their trust in our comprehensive offering,” says Austin Murphy, VP of managed services
“We want to demonstrate its quality. The warranty is one of the ways in which we do that.”
Having access to insurance could help to remove a barrier to mounting an effective response.
“Smart customers know that they need help if they get into this situation,” says Aaron Bailey, co-founder and chief information security officer at Sydney-based The Missing Link Security. “Being able to access insurance could assist with getting the help you need.”
Warranties and insurance are still a relatively new part of the cyber-security landscape, and not all warranties are created equal. “I’m a bit on the fence about their usefulness,” says Bailey. “I’m not aware of people testing these policies.”
Which is an important point: is the insurance policy you’re paying for worth the paper it’s written on?
“Generally, I take a cynical view towards the majority of the insurances and warranties that are being offered in the market,” says Adam Barker, technical director at Adelaide-based IT solution provider SecureWare. He sees plenty of insurers, lawyers, vendors, and many others all jumping on the ‘cyber’ bandwagon in pursuit of what they see as a rich source of revenue.
Barker urges caution when evaluating cyber warranties and insurance. “In certain circumstances there is value to be derived with warranties and/or cyber insurance,” he says. “As with everything, the devil is in the details.”
“Insurers are learning more about this space and eventually premiums and payouts will be more tightly aligned to security maturity,” says Dane Meah, chief executive of Sydney-headquartered security specialist InfoTrust. “Organisations should consider implementing security governance frameworks, such as NIST, ISO or ISM as it’s likely these will be the ‘common language’ that is used to assess security maturity.”
One extra challenge is that the traditional buyer for insurance generally sits in the finance department, rather than in technology. Technology leaders should partner with their colleagues in finance to ensure that insurance and warranty decisions are informed by both financial and technology implications.
Wash your hands
Customers should take care not to spend up big on a fancy insurance policy and then think they’ve solved all their cyber-risk issues.
“Insurances may create a false sense of security as payouts are often limited to actual losses or damages,” says Meah. “Business disruption, loss of productivity and brand damage are difficult to calculate and rarely, if ever, recoverable.”
“Don’t get cyber-insurance and then do nothing else,” counsels Aaron Bailey. “You can have car insurance, but you still wear a seatbelt and drive carefully.”
A robust security approach is about much more than products and warranties or insurance. It’s about having a comprehensive approach to security across the business.
“So much of an effective security strategy is in the people and process,” says Crowdstrike’s Murphy. “Our technology is fantastic, but the most value can be driven from it if it’s being used appropriately by a team of experts.”
Murphy said that part of getting AIG to underwrite the Falcon Complete warranty involved having them understand the people and process side of the managed service.
“We worked a long time with AIG to really give them a deep-dive on the technology and the process we’re following,” he said. It was the overall approach to reducing customer risk, not just deployment of products, that helped AIG feel comfortable with underwriting the warranty.
Insuring against cyber risks makes sense, particularly in a world where the risk of cyber-losses is high and increasing. The hard costs of responding to a breach can be substantial, and insurance could help you to ensure the job of cleaning up is done properly.
The difficulty at the moment is the relative lack of maturity of the offerings. Customers will need to take extra care that the warranty or insurance they’re paying for has real value, not just marketing value.
“In the long term we’re all for insurance and/or warranties in this space,” says SecureWare’s Barker, “However, neither are mature at the moment so care needs to be taken to best understand the real value.”
While the field is emerging, and still evolving, cyber-insurance is something businesses should definitely be looking at. “It’s still new, but not so new that you should ignore it completely,” says The Missing Link’s Bailey. There are plenty of channel partners who would be more than happy to help you to navigate the complexities.
Information security is a relatively new discipline, but the rise of insurance and warranties shows that it’s now being considered a core business issue rather than a niche technology problem. This is a very good thing, and shows that cyber-security is heading very much in the right direction.