Citadel Security Software has announced an insurance plan under which customers that use its Hercules vulnerability remediation product will be reimbursed for the cost of restoring systems or data if their networks are attacked and Citadel fails to meet its service-level agreements.
Dallas-based Citadel has acquired a policy from insurance giant American International Group (AIG) to cover its obligations under the warranty program, which will be offered at no extra cost to its customers. The amount reimbursed would be limited to the amount of the customer's Hercules contract.
The program is designed to bolster customer confidence in Citadel's products, while also holding the company accountable for its own technologies, said Citadel CEO Steve Solomon said in an interview with Computerworld.
"A lot of people deliver software, and that's where it stops," Solomon said. "We are putting our money where our mouth is."
The Citadel warranty program marks the first time that a major insurance company is backing a security product, said Phebe Waterfield, an analyst at Yankee Group Research in Boston.
From a customer standpoint, these sorts of guarantees are important because they demonstrate a security vendor's willingness to stand behind its products, she said. Though the real cost of a security breach often goes well beyond the immediate cost of restoring damaged systems and data, the Citadel warranty is a step in the right direction, Waterfield said.
"What I'd really like to see is these kind of guarantees being offered on all firewall, antivirus and intrusion-detection products," she said.
Citadel's announcement received an endorsement from U.S. Sen. John Cornyn (R-Texas). "This is a creative solution to the cybersecurity problem and signals a new direction in the willingness of software makers to guarantee the performance of their products," Cornyn was quoted as saying in a statement from Citadel.
House Government Reform Committee Chairman Tom Davis (R-Va.), who in the past has called for the private sector to take more responsibility for securing critical infrastructure, also praised the move by AIG and Citadel. "This collaboration is the kind of outside-the-box, industry-led, market-driven approach to securing information that we need to see more of," Davis said in an e-mailed comment to Computerworld.
Citadel's Hercules Security Compliance and Vulnerability Remediation software is an automated tool designed to help companies identify and fix vulnerabilities resulting from software flaws, unsecured accounts, unnecessary services, misconfigurations and back-door programs.
Under the company's new SecurePlus warranty program, Citadel will guarantee the delivery of " timely, accurate and effective remedies" for known software vulnerabilities, according to a description of the program.
Currently, Citadel delivers fixes and work-arounds for high-risk vulnerabilities within 24 hours of discovery of the flaw; for medium-risk vulnerabilities, it said it delivers a fix within 72 hours. If a Hercules customer is attacked because Citadel is unable to deliver fixes within those time frames, the company said, it will be reimbursed for "eligible information asset loss or the cost of restoring their lost data," up to the amount of the Hercules contract.
This isn't the first time that a security vendor has offered such guarantees, though it is the first program to be publicly backed by a large insurer.
In January 2004, Atlanta-based Internet Security Systems launched a money-back guarantee program under which customers of its Managed Protection Services are reimbursed up to their annual contract value for breaches resulting from services covered by the program.
This isn't AIG's first foray into the cybersecurity market, either. In October 2003, the company said it would offer discounted insurance rates to customers that deploy security sensors being developed by the Cyber Incident Detection & Data Analysis Center, a Philadelphia-based volunteer partnership of more than a dozen IT vendors.