Fixing the lemons market?
This page celebrates the InfoSec vendors who voluntarily offer cyber warranties.
|Company name||Product name||Announced||Coverage limit||T&C||Security condition|
|AsTech||Paragon Security Program||2017||$5m||No||only covers approved vulnerabilities|
|Cymmetria||MazeRunner||2019||min($1m, 2xsubscription fee)||No||must install, deploy, operate, repair, maintain or update in accordance with the instructions supplied|
|CrowdStrike||FalconComplete||2018||$1m||No||must be configured with recommended protection posture|
|MyDigitalShield||Network Threat Protection Lite||?||$10k||Yes||must maintain appropriate computer and internet security.|
|MyDigitalShield||Network Threat Protection Standard& and Pro||?||$50k||Yes||must maintain appropriate computer and internet security.|
|SentinelOne||malware protection solutions||2016||$1k per end point $1m per company||Yes||must be configured in accordance with the Documentation|
I believe that cyber warranties could align incentives so that InfoSec vendors build more effective products. The following video sketches out the argument (and embarrassing over production):
Those who prefer the written word can read our article written for a general audience.
In a paragraph, we argue that offering a cyber warranty imposes relatively more cost on vendors who build insecure products. Such vendors’ customers would be breached more frequently due to the ineffective product and so would claim indemnity payments under the warranty more frequently. Thus, vendors of ineffective products would face higher costs. However, this only works if: (a) all vendors offer a warranty; (b) warranties cover a meaningful fraction of losses resulting from ineffective products; and (c) the warranties do not contain weasel clauses.