Wednesday, February 28, 2024
HomeSECURITY10 Examples of Information Security Companies Ready to Be Financially Responsible for...

10 Examples of Information Security Companies Ready to Be Financially Responsible for Missing Attacks

-


I remember a few years ago, in a past life, we did outsourcing SOC for an international oil company. The value of the contract was close to $100 million and one of the conditions was to be financial guarantees for damages in the event of an attack. It took 9 months to negotiate the contract in this, the most difficult part. And now in the West it is becoming, no, not yet mainstream, but already common practice. For example, Aqua Security announced providing $1 million guarantee in case cloud clients protected by their solution are hacked. Yes, there are conditions and refund restrictions (minimum contract amount, included components, specific definition of “cloud attack”, etc.), but it’s still a significant step forward.

Do you think this is the only example?

In September 2022, Defendify will also suggested $1 million compensation in the event of an information security incident in an organization protected by its solution. At the same time, the reimbursement covers a wide range of incidents – ransomware, violation of legal requirements, email compromise (BEC) or any financial loss as a result of an information security incident. Unlike cyber risk insurance, Defendify does not require you to sign any contracts, go through underwriting, settle claims, etc.

A similar story with the outsourced SOC from Arctic Wolf, which gives exactly the same $1 million guarantee, as Defendify, and for exactly the same incidents, but judging by the mention of underwriting, they still talk about cyber risk insurance. The client receives a full refund of one million if he has previously invested in the full portfolio of an information security company; the amount of the refund is halved if the customer used the MDR service and one of Arctic Wolf’s customer security analysis or employee awareness products.

How does this contrast with some Russian commercial SOCs, which foam at the mouth prove that they are not ready to give any guarantees, since their work depends on many factors, and also “the customer is a fool“. At the same time, the same SOC does not hesitate to write on its main page about cybersecurity guarantees and readiness to take responsibility. But when it comes to clarifying the extent of this responsibility, they begin to wag and refer to the Civil Code and limits on the amount of the contract.

One of the first information security companies to offer financial guarantees in the event of an information security incident was SentinelOne, which back in 2016 announced financial protection of their customers affected by ransomware, also in the amount of 1 million dollars (per company or $1,000 per node)! Yes, there are certain conditionsat which the guarantee starts to work, but still it is better than sticking your head in the sand, avoiding responsibility and unwillingness to answer with your Faberge for the result.

In fact, back in 2005, Citadel Security Software launched together with the insurance company AIG, a cyber risk insurance system that guarantees the reimbursement of affected customers in the amount of the cost of data recovery or the cost of information (as they considered it?), but within the cost of their contract with Citadel.

Similar offer to CrowdStrike did its customers and CrowdStrike in 2018.

Everyone likes a round sum of 1 million dollars!

But there are those who went further and offered an amount much more than the notorious million. For example, Rubik answers 10 million dollars, guaranteeing protection against ransomware. Sum depends on the size of the storage protected using Rubrik solutions.

By the way, Rubrik has one of the most elaborate warranty agreements of all the companies mentioned earlier and later. Still, the amount of 10 million obliges to be more serious in such matters.

Not all companies are capable of launching such programs on their own. Therefore, providers of relevant financial services are beginning to appear on the market, taking on all the difficult issues related to guarantees and liability. For example, in May of this year, the venture fund DVx Ventures launched a company Cork, which is specifically designed to help information security service providers create a proposal for financial guarantees for their customers. And the first two contracts have already been signed – with Barracuda Networks and River Run.

I wonder when will appear in Russia such companies that will offer their customers simple and understandable guarantees for the result of information security and will be ready to bear significant financial responsibility (not within the contract) for their activities, and not live by the “AS IS” principle?..

The note

.



Source link

www.securitylab.ru

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular