InfoSec Warranties and Guarantees

Back to list of all Outcomes

Original Working Session content: InfoSec Warranties and Guarantees


This Working Session aimed to answer the question of whether security companies should issue guarantees, warranties, and provide a set of guidelines on the design and implementation of warranties and guarantees.

Synopsis and Takeaways

Decisions on purchasing security products with cyber insurance should not be based solely on the warranty, no matter how good it seems. Some warranties may only cover secondary insurance and this can be very expensive for the policyholder.

Reliance on warranties requires the same scrutiny as buying cyber insurance; however, warranties could be a marketing ploy. It is normally not worth investigating a warranty for a product when the cost of the investigation is weighed against the cost of the initial cover. Usually, negotiating warranty contracts can achieve more favourable terms. Collecting information on companies that have submitted claims, and the results of the claims, would be useful.

Warranties should include:

  • Data to back up marketing claims
  • Independently validated data
  • Monetary value at least equivalent to what was paid at the point of deployment
  • Refunds, not credit for more services, from the vendor
  • The right to breach the contract (Termination Clause)

Warranties should not be conditional on incident responses or other internal procedures.

You cannot make decisions purely on warranty claims.


  • Provide marketing data to support claims
  • Collecting information about companies that submitted claims and the results of that process would prove useful.
  • Warranties that provide something that the policy holder has complete control over such as:
    • Uptime
    • Direct performance indicators



Jeremiah Grossman - Why InfoSec Needs Security Guarantees

Back to list of all Outcomes

Edit this page here