The Unrealized Vision of Cyber Warranties
The first noteworthy cyber warranty was announced 10 years ago at Black Hat 2014. Jeremiah Grossman, founder and CEO of WhiteHat Security, said his company would refund the money the customer paid for his company’s services plus reimburse it for the first $250,000 of any breach-related costs if a customer was hacked.
Soon after, Grossman put cyber insurance in the crosshairs by characterizing cyber’s $1.3 billion growth as “budget left on the table” by the InfoSec industry. According to Grossman, InfoSec vendors offering warranties would satisfy demand for cyber risk transfer and eliminate the need for cyber insurance. But for many reasons, this vision was unrealized.
Why?
Digital risk is pervasive. Modern businesses must choose to accept, mitigate, and/or transfer their risks. Businesses are increasingly choosing to transfer those risks through cyber insurance. But some businesses may elect to purchase non-insurance products or cyber security services that offer a warranty on their services. Businesses may mistakenly think that cyber warranties and cyber insurance offer the same benefits, but the two are not the same.
Below, we’ll explore the differences between cyber warranties and cyber insurance, some of the problems with cyber warranties, and why cyber insurance is the only comprehensive risk transfer solution.
Cyber warranties vs. cyber insurance
Cyber warranties are not a risk transfer mechanism; they are merely intended to instill confidence in product or service performance. Under U.S. law, a warranty is a promise or guarantee made by one party about the condition, performance, or quality of a product or service. Globally, cyber warranties largely adhere to that definition, though some vendors have offered to pay customers’ limited costs, provided certain criteria are met.
Unlike cyber warranties, cyber insurance is a true risk transfer mechanism, offering broad coverage for a variety of risks related to cyber attacks, data breaches, and other incidents. Warranties are not an alternative to insurance, which is far more comprehensive in its coverage, and businesses that mistake one for the other may find themselves in a very difficult spot.
That may be why cyber warranties have floundered over the past decade: Many have been withdrawn from the market, and those that remain rarely cover customers’ breach costs because the strict criteria are frequently not met. Meanwhile, cyber insurance has exploded into a $15 billion industry.
Unlike cyber warranties, cyber insurance is a true risk transfer mechanism, offering broad coverage for a variety of risks related to cyber attacks, data breaches, and other incidents.
The premise of cyber warranties usurping cyber insurance was doomed from the start. That’s because the two products were designed to address different issues. More businesses want and need a comprehensive mechanism to mitigate their financial loss in the event of a digital disruption – whether caused by a product not functioning as advertised or whether caused by criminal breach.
Warranties are unattractive for several reasons, including the following:
Most cyber warranties are withdrawn within five years.
Cyber warranties generally only reimburse customers for a narrow circumstance with strict requirements for when a customer will receive any payout.
Businesses must be cautious of solutions that overpromise and underdeliver.
Cyber warranty longevity is no guarantee
The longevity of a cyber warranty is an important factor for businesses who need confidence that they will be covered for losses that occur long after the cybersecurity services are complete.
Cyber warranties attached to software-as-a-service (SaaS) solutions, for example, are typically only valid for the duration of the subscription and can be removed at renewal. This means a business is trapped into using a SaaS product and the minute they stop using the services, they may not be able to make a claim for costs incurred during a cyber attack.
“The history of cyber warranties suggests longevity is a problem,” said Daniel Woods, Senior Security Researcher at Coalition. “From the vendor perspective, there is little reason to keep offering the warranty after the vendor has received a quick splash in the press.”
Five years after announcing its novel warranty offering, WhiteHat Security was acquired by Synopsys. Now, the business doesn’t advertise a warranty associated with the WhiteHat services. In fact, four of the six cyber warranties released before 2020 have seemingly disappeared:
MyDigitalShield announced a data breach warranty in 2016. Reference to the warranty appears to have been scrubbed from the internet.
AsTech announced a $5 million warranty for its software testing in 2017. The original press release is no longer online.
Cymmetria announced a $1 million warranty in 2017 for an advanced persistent threat (APT) attack that went undetected by its product. The company shut down after being acquired by a private equity firm in 2019.
The problem of warranty longevity is critical because of how often businesses experience cyber events. In 2023, 6.6% of large businesses experienced a cyber insurance claim, which means the average large business should expect to file a claim roughly every 15 years, smaller businesses even less often.
“The history of cyber warranties suggests longevity is a problem. From the vendor perspective, there is little reason to keep offering the warranty after the vendor has received a quick splash in the press.” — Daniel Woods, Senior Security Researcher, Coalition
Extrapolating from this trend, assuming that these businesses relied upon cybersecurity services to mitigate risk, “Given the majority of these warranty buyers didn’t make a claim in the first five years, in effect, they paid extra for a premium feature that was withdrawn before they truly needed it,” said Woods.
Cyber warranty coverage is intentionally narrow
Even if a cyber warranty still exists when a customer makes a claim, whether the claim will actually be paid remains to be seen. Cyber warranties are not a comprehensive cyber risk transfer solution, nor are they designed to prevent or reimburse a customer for all issues and costs arising from a cyber incident.
Take CrowdStrike as an example: In 2022, CrowdStrike CEO George Kurtz announced that the company hadn’t paid out a single claim in the four years since announcing its endpoint security breach prevention warranty — proof that these warranties are largely marketing. While this warranty may have convinced a customer to purchase CrowdStrike’s endpoint security product, it’s narrow in scope and not designed to prevent social engineering, which means its warranty likely doesn’t provide coverage for the majority of events that drive losses behind cyber insurance claims, such as business email compromises and funds transfer fraud.
Cyber warranties are not a comprehensive cyber risk transfer solution, nor are they designed to prevent or reimburse a customer for all issues and costs arising from a cyber incident.
Limited and somewhat unreliable coverage has led to complaints from customers that had claims rejected under these service warranties.
“Insurance regulators have raised concerns to me about consumer confusion in the cyber marketplace,” said Sezaneh Seymour, Ph.D., VP and Head of Regulatory Risk and Policy at Coalition. “This problem is not theoretical. Regulators have received reports from consumers who thought they were buying one thing and got another.”
The terms and conditions on cyber warranties can vary widely across products and services. For example, a warranty attached to a backup solution will be different from a warranty attached to cybersecurity training because the products promise fundamentally different functionality. This lack of standardization makes it difficult for risk managers to evaluate coverage.
Furthermore, cyber warranties often require customers to follow extensive cybersecurity procedures. For example, Rubrik’s ransomware warranty requires customers to grant the company access to perform monthly “health checks,” in addition to maintaining hardening guidelines that span encryption, user access, backups, and more.
“I wish we lived in a world where small businesses could uphold these stringent security standards defined by vendors, but the reality is most businesses will fall short,” said John Roberts, General Manager of Security at Coalition. “My worry is that these customers will make a claim and learn the hard way that a warranty is not a substitute for insurance.”
Insurance is the only comprehensive risk transfer solution
Cyber warranties have yet to replace cyber insurance — and the chances of that happening are unlikely.
Why? Because cyber insurance solves the precise problems that have plagued warranties:
The insurance business model is based on longevity: Insurers rarely go out of business due to industry regulations. When a business buys a policy, the insurer can invest the premium before claims are paid out. The investment is known as “float.” Over time, float helps insurers make long-term investments to improve and develop new offerings that benefit consumers.
Cyber insurance is designed to cover a wide range of cyber risks: Ransomware, data breaches, email compromise, and even non-security risks like privacy wrongful acts and media liability — these are all vastly different risks that typically fall under coverage from a single policy. Cyber insurers paid out more than 4.5 billion dollars in cyber claims in 2023 alone. (A figure that would be much higher if the National Association of Insurance Commissioners collected data on all global cyber insurance policies.)
Cyber insurance also does much more than pay claims. Over and above covering costs of a claim, cyber insurance provides policyholders with peace of mind and a place to turn for help. Warranties on the other hand, are limited to guaranteeing how a product or service will work and potentially covering some limited costs in the event the product or service fails in its defined purpose. In sum, warranties are not insurance, and are not designed to provide businesses the help they need to respond and recover to a complex cybersecurity incident.
“I wish we lived in a world where small businesses could uphold these stringent security standards defined by vendors, but the reality is most businesses will fall short." — John Roberts, General Manager of Security, Coalition
Cyber insurance is clearly the only comprehensive risk transfer solution. Perhaps the best encapsulation of the shortcomings of cyber warranties comes from KnowBe4 when it announced that it would be officially retiring its “somewhat dated” Crypto-Ransom Guarantee:
“At this time, there are professional cybersecurity insurance policies available that cover both the cost of downtime and payment of the ransom in case that is required.”
This article originally appeared in the September 2024 edition of the Cyber Savvy Broker Newsletter. Subscribe to the newsletter to receive future editions directly in your inbox as we explore the most up-to-date and noteworthy topics in cyber insurance.