A first of its kind insurer-backed warranty product has launched in Australia. The warranty provides coverage for a software product developed by Arkose Labs and triggers if the software fails. The Brisbane native who developed the product says it’s a new approach to cyber security.
Kevin Gosschalk (pictured above), CEO of Arkose Labs, described the cybersecurity industry as “a best-efforts enterprise.” He said his security offering is unique because there is an insurance backed warranty on the software he sells.
“If you buy a TV and it’s not working, you get your money back, right? That’s pretty standard,” said Gosschalk. “When you buy a cybersecurity product, it’s about best efforts in terms of the efficacy of that product.”
Credential stuffing warranty
His firm’s credential stuffing warranty kicks in if his software isn’t doing its job protecting the customer from cyberattacks. “It’s not very different to a TV warranty but it’s just applied to security effectiveness, which has never been done before,” said Gosschalk.
Credential stuffing is where criminals use automation to test massive amounts of username/password combinations to take over consumers’ accounts.
Read next: Cyber incidents and why they’re similar to weather events
An Arkose media release described these attacks as “the most prevalent and difficult type of online account-based attack to detect and mitigate, causing more consumer harm than ransomware.”
Arkose Labs, Gosschalk said, protects companies like Microsoft and video game firms like Blizzard and Roblox from these attackers.
“What our specific warranty guarantees is we will prevent them [bad actors] from trying those logins to get into your accounts and if we’re unable to do that, we’ll cover the cost of cleaning up the account being compromised by a fraudster,” said Gosschalk.
He said, in the case of a bank, that would include covering the money lost from accounts and the human labour associated with cleaning up the damage.
Insurance coverage for a software product
The release said the Arkose Credential Stuffing Warranty, with coverage up to $1.5 million, would also cover cyberattack response expenses including legal consultation, forensic services and notification expenses.
The product launched in the US in 2021 and has never been breached so there have been no payouts yet.
“It is quite different to everything else that’s come before us in this space,” said Gosschalk.
He said the warranty is tied to specific metrics.
“There’s specific technology triggers where we know for a fact that the bad actor is trying to compromise an account,” said Gosschalk. “When it comes to covering losses, it also has to be tied to very tangible things.”
One factor that helped convince insurance carriers to back the product when it launched in the US, he said, was its attack service level agreement (SLA). This SLA guarantees that Arkose will stop an attack before it circumvents the Arkose product and was in place for five years before they brought in the warranty. There’s never been a successful attack on the product.
“We were able to deliver to them and show them the efficacy of the product over numerous years, protecting some of the biggest companies in the world,” he said.
Read more: Experts offer tips on facing rise in cyber threats
However, Gosschalk said it was challenging finding an insurer to back the product.
“We spoke to several carriers that had done cyber insurance policies but even those didn’t really get the idea of correlating it [the coverage] to technology,” said Gosschalk.
He said those insurers were more focused on insurance coverage after a cyber breach.
The insurer they ended up partnering with had experience with similar warranties connected to fraud.
“I remember pitching our product and showing our product demo at probably six or seven different hour long meetings to different groups of people at the at the firm,” he said. “Insurance people are not technologists, so it was a journey.”
The biggest issue in their discussions was creating understanding around how the warranty coverage would trigger.
“It’s not like insurance in the sense that it’s not intended to pay out continuously, it’s intended to trigger if the product itself is defective,” he said. “So they had to get their head around the efficacy of the product.”
Gosschalk said winning the insurer over involved sitting them down for discussions with advisers, customers, providing lengthy documentation and numerous presentations.
“They learned as much about technology as we learned about insurance through that process,” he said. “It was pretty fascinating.”