Cyber warranties – value or fluff?

Henry Harrison

By Henry Harrison

Commercial

Government

Menlo Security – a competitor of ours – has been making news with announcement of their “$1m warranty”. The concept is that Menlo will pay up if their customers get breached as a result of a security weakness in the Menlo product. So – is this a valuable addition to the market, or is it just marketing fluff?

We’ve been talking with our customers about cyber warranties for some time, and what we’ve broadly concluded – for now – is that it’s a valuable addition in the mid-market, but not yet valuable in the top-tier enterprise market.

Here’s why.

There are two reasons why a cyber warranty might – in principle – be useful. The first reason is that if something bad happens, you get some cash. The second reason is that to avoid paying out on the warranty, the vendor puts in real effort to try and ensure their product doesn’t have security weaknesses.

The first of those reasons is really valuable in the mid-market, where $1m is meaningful money. Indeed, all credit to Menlo for putting this on the mid-market table. But in the enterprise market, the cost of a breach is way more than $1m. In fact, in our conversations with our enterprise customers, many of them have told us that the costs of breaches are so high that they’re essentially uninsurable. $1m certainly doesn’t cut it!

So the second reason is the one that originally appealed to us. Could we offer a warranty that was big enough that customers could have real confidence in the efforts we make to ensure our product doesn’t have critical security weaknesses?

We got excited about this, but then we ran up against reality: the insurance market.

I don’t know if Menlo has taken out insurance to back any payouts they might have to make, but if they haven’t, I’d strongly recommend that they do so. We went to talk to the cyber insurance market and here’s what we found.

Firstly, that at the level of $1m, the industry was gung-ho to underwrite a warranty offer. Indeed as far as we could tell, they were willing to do so without any knowledge at all of how good the product actually was. They might want us to pay an “excess” – say 10% – but given that our contract values are typically many times that, that’s the sort of money that’s relatively easy to write off as a cost of sale. Indeed we fully expect many products that should be focusing on improving the quality of their code will now focus on getting insured warranties instead. Marketing buzz in general trumps better product…

But our customers are very sophisticated, and we figured that they would see through that sort of offer pretty quickly. Clearly, we would need to be offering a warranty worth significantly more than $1m. What about a $100m warranty?

At that level, the conversation changes. $100m is real money – even to an insurance company – and to underwrite that, insurers will want real confidence in the robustness of the product that’s being warrantied. Insurers themselves just don’t have the skills to make that sort of evaluation, which means they need to rely on other people’s judgement.

That’s a conversation that’s ongoing. I can’t promise we’ll get there – but if we do end up offering a warranty, we’d like it to be at the sort of level that actually means something in the enterprise market.