- CrowdStrike, an endpoint protection provider, is the latest vendor to offer a warranty on its cybersecurity solution of up to $1 million, according to a company announcement Tuesday. The warranty applies to its Falcon EPP Complete solution.
- The free warranty will be applicable to customers who experience a breach within the protected environment that CrowdStrike's endpoint protection solution should have prevented.
- The warranty covers a range of breach expenses, including legal fees, credit monitoring, incident response, public communication, forensic investigation and notification.
The costs of cyberattacks and breaches are rising across businesses of all sizes. From March 2017 to February 2018, the average cyber incident cost enterprises $1.23 million, a 24% increase over the preceding year, according to Kaspersky. For SMBs, the average breach costs $120,000.
A warranty or guarantee program, in addition to cyberinsurance, can help a company offset the costs of a cyber incident — although $1 million can feel like chump change for a company like Equifax with data breach recovery costs already at more than $240 million. CrowdStrike isn't the first company to put its money where its mouth is.
In 2016, SentinelOne, another endpoint security software provider, launched its ransomware cyber guarantee for up to $1 million per company or $1,000 per endpoint, joining a group of less than 10 companies offering such a guarantee, said Jeremiah Grossman, current adviser and former chief of security at SentinelOne, in an interview with CIO Dive.
Today, around 20-30 companies offer similar warranties, though another three to five years is likely needed before the programs become commonplace, according to Grossman. SentinelOne and CrowdStrike are endpoint security companies, but the distribution of warranty programs is spread out among other cybersecurity sectors.
Growth in warranty programs will go hand-in-hand with the cyberinsurance market, in which stand-alone and package premiums grew 54% in 2017 to $2 billion, according to Insurance Journal. The market is expect to grow rapidly over the next few years, reaching $14 billion by 2022, according to Allied Market Research.
Although SentinelOne put forth its own warranty almost two years ago, CrowdStrike is the first vendor to offer a cyber warranty program since then, said Daniel Bernard, VP of business and corporate development at SentinelOne, in an interview with CIO Dive.
Just like a car manufacturer being responsible for a faulty automobile that needs to be recalled, cyber warranty programs move the onus of responsibility to vendors. As the programs become more prevalent in vendor offerings, warranty may become a key product and service distinguisher for security solutions customers.
"In this industry, there's so many vendors and everybody's kind of riding blind, and frankly so many products haven't worked for so many years," said Bernard. "That's why this next generation movement is taking place. The accountability is a good thing."
The announcement of another company launching a warranty program demonstrates that customers are placing new demands and vendors are responding, with interest between the two parties coming closer in alignment, said Grossman.
"It'll be little burden on any security vendor whose products are good, and a tremendous burden on any security vendor whose products are not," said Grossman.
Vendors looking to implement warranty or guarantee programs need to make sure their product works and that they have efficacy data to share with insurance underwriters, according to Grossman. The actual cost of reinsurance is relatively low, coming in around 2% of the liability limit.
With costs so negligible, it's something every vendor should incorporate into their standard, said Grossman.
The $1 million ceiling placed on SentinelOne's program was set by the average loss rate for SMBs hit by ransomware. While tiers of warranty and custom programs are in the future, to account for different costs between businesses sizes and industries, the market needs more maturity first, said Grossman.
To date, SentinelOne has not experienced a single claim or payout, but no security system is perfect and by law of large numbers Grossman expects to see an event down the line.