SecurityScorecard delivers security posture assessments by analyzing companies’ external surface visibility. It is so convinced on the accuracy of these assessments that it is now offering free digital forensics and incident response (DFIR) services to customers that are breached.
The offer, called Score Guarantee, is dependent on two things. First, the customer must have scored an ‘A’ rating in its surface analysis, and second, the complementary DFIR is limited to 20 hours.
The Score Guarantee is not related to cyberinsurance. Although the firm and its ratings are used by insurance underwriters, the Score Guarantee is neither underwritten by insurers, nor intended to be an alternative to insurance. It is purely the firm’s statement of confidence in its own services.
In reality, a company sufficiently security aware and active to receive an ‘A’ rating is likely to have separate cyberinsurance. However, SecurityScorecard is sufficiently confident in its ratings, that the guarantee is independent of the usual retentions, deductibles, exclusions, or additional conditions of cyberinsurance.
For example, it is not subject to the cyberinsurance war exclusion clause. Mitchell Bezzina, VP of product marketing & GTM, told SecurityWeek, “Our guarantee would apply regardless of the insurance company’s decision to cover the incident. We have no exclusions related to the type of incident.”
The Guarantee is entirely unrelated to any cyberinsurance. “Whether or not a company has cyber insurance is a decision personal to that customer and its risk management strategy,” continued Bezzina. “For example, it may elect to self-insure, or it may have a risk appetite that dictates a limited need for insurance. If a qualified customer has an incident, it will gain 20 hours of complementary IR services – any other response costs beyond that are taken by the customer in accordance with its risk management strategy.”
SecurityScorecard’s confidence comes from its own research showing that companies receiving an a ‘A’ rating are 7.7-times less likely to suffer a cyber-incident than companies receiving an ‘F’ rating.
SecurityScorecard can highlight areas where defense should be improved. The same principles can be applied to supply chain thirty-party websites. In February 2023, the firm’s research revealed that 98% of organizations have a relationship with a third party that has been breached.
But if weaknesses found by the firm’s analyses are improved and an ‘A’ rating is achieved, a breach is less likely – and the firm will underwrite its confidence in this assertion with 20 hours of free DFIR. The Guarantee is a clear statement from the company: “if your organization increases its security rating to an A, it is less likely to experience a cyber incident.” No ifs or buts.
Headquartered in New York City, SecurityScorecard was founded in 2013 by Aleksandr Yampolskiy (CEO), and Sam Kassoumeh (COO). It has raised a total of $292.2 million, most recently in a Series E round of $180 million in March 2021. This followed a Series D round of $50 million in June 2019.
Related: BitSight Raises $250 Million at $2.4 Billion Valuation
Related: The Wild West of the Nascent Cyber Insurance Industry
Related: Consortium Promotes Principles for Fair and Accurate Security Ratings