Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cyber Insurance

Firm Backs Vulnerability Management Service With $1 Million Guarantee

San Francisco-based consulting firm AsTech has today announced a $1 million guarantee for its Qualys Managed Services offering. AsTech is one of a small but growing number of vendors applying a different approach to cyber insurance: a monetary guarantee against failure of their own products.

San Francisco-based consulting firm AsTech has today announced a $1 million guarantee for its Qualys Managed Services offering. AsTech is one of a small but growing number of vendors applying a different approach to cyber insurance: a monetary guarantee against failure of their own products.

AsTech offers a range of niche managed services, including management of the Qualys vulnerability service. “

Qualys provides a highly rated cloud-based vulnerability management service. But like all services, its success can depend upon the quality of its implementation and use. The security skills shortage pressures organizations to buy-in such services, but also makes it difficult for them to apply them correctly. This is the raison d’etre for managed services: where organizations cannot be certain of implementing and operating their own cybersecurity, they can turn to a managed services provider to do it for them.

In general, the problem is that there is still nothing to guarantee the skills of the service provider; and the customer remains liable for the cost of any breach. Today, AsTech is disrupting this model by announcing that it has sufficient confidence in its own Qualys-based skills to guarantee that it will not fail its users.

“Qualys software suffers from the same problems suffered by most security controls,” explains Nathan Wenzler, AsTech’s chief security strategist. “Sometimes the configuration isn’t properly set up, and sometimes it just deteriorates over time. We have the in-house expertise to ensure correct configuration and use. Now we’re adding guaranteed risk mitigation on top of that. If we miss something, we take some of that risk away from the customer and put it back on ourselves.”

Called Vigilance, AsTech is now offering an optional add-on insurance package for its Managed Qualys Service. It guarantees to cover breach-related costs caused by a failure of the Qualys implementation of up to $1 million. “We’re guaranteeing that in setting up and tuning Qualys, we will find all of the vulnerabilities, we will find all of the assets, and we will tweak the tool to such a high degree of accuracy that for all perimeter-facing assets the customer will not miss anything that an attacker could exploit. Should an organization be breached from the perimeter and from a vulnerability that Qualys should be able to detect, then we will cover data breach costs that occur up to $1 million.”

This is a cross between insurance (it transfers financial liability to a third-party) and a guarantee (it guarantees the performance of a product). AsTech is not the first vendor to provide such a guarantee — it already has a similar guarantee for its Paragon Security Service; while last year SentinelOne announced a $1 million dollar warranty (up to $1000 per affected endpoint) for the performance of its product against ransomware.

“This is a new security model that we’re applying to a lot of things,” comments Wenzler. “We first did it with a security program we call Paragon which is specifically for application security: code review and vulnerability analysis and help with remediation, and we ensure that you will not be breached with a $5 million guarantee.”

Advertisement. Scroll to continue reading.

It is a model that has the potential to disrupt the growing ‘traditional’ insurance model for cybersecurity if enough vendors adopt it. AsTech is actively investigating what of its other services can be included within the Vigilance model. But it needs to be understood. For example, Vigilance for Qualys Managed Services is not a blanket insurance against all breaches. It only covers perimeter breaches through a vulnerability that is included within the Qualys vulnerability service — which is considered to be one of the better vulnerability services. The Qualys Cloud Platform gives customers a continuous, always-on assessment of their global security and compliance posture, with 2-second visibility across all global IT assets, wherever they reside.

This potentially could lead to some grey areas. For example, compliance failure costs would not normally be covered. But compliance is becoming an increasingly complex area. The EU’s General Data Protection Regulation isn’t simply about data protection — it is also about data governance. A fine for data governance non-compliance would not be covered by the AsTech insurance — but a GDPR fine specifically relating to data loss caused by exploitation of a vulnerability known to Qualys would be covered.

“It’s not going to cover compliance fees or fines,” explained Wenzler; “only data breach-related costs, such as notification costs. Remediation, such as pay outs to customers for credit monitoring services, would be covered; but not costs like fines levied for compliance failures. The key is that the guarantee is related to data breaches — so if a compliance fine is directly related to the data breach, it would be covered; but if the fine is related to general non-compliance, it would not be covered.”

Vendor product guarantees is a nascent market with the potential to grow. “We’re seeing a lot of interest from customers and other people who recognize that you can hire security people for just about anything, but you still run a level of risk if the person or group you hire makes a mistake, sets up a firewall incorrectly or whatever. At the end of the day you’re still responsible and liable for the data and to your customers.” Product guarantees can limit that liability in specific areas without the need for complex and costly general insurance.

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.