Security Vendor Offers Insurance For Timely Fixes

Worldwide insurer American International Group Inc. said Thursday that it will back the Hercules software-vulnerability remediation service offered by Citadel Security Software Inc. Citadel promises to fix high-risk vulnerabilities within 24 hours or it will reimburse customers for the cost of restoring systems or data if their networks are attacked.

This is the first time an insurer like AIG is providing insurance to a software security vendor, Yankee Group analyst Phoebe Waterfield says. "It means the insurer feels comfortable with the risk, like a bookie putting money behind the guarantee," she says. While it's a great step forward for the vulnerability-assessment and remediation industry, Waterfield doesn't think it's enough to push Citadel ahead of competitors.

Waterfield wants to see insurance coverage extended to other segments of the security software market. "In the antivirus market, it could mean we can't get infected," Waterfield says. "I'd like to see insurers put money behind the antivirus players."

Citadel developed the Hercules SecurePlus warranty with AIG Product Development's General Insurance unit. It covers payments that Citadel will make to customers if it fails to meet service-level agreements to fix or remediate known vulnerabilities within specific time frames. AIG agreed to provide insurance to the program because it has confidence in Citadel's risk-reduction tools and strategies, Ty Sagalow, president at AIG Product Development, General Insurance, said in a statement.

The move drew praise from Congress, which has been urging the private sector to take a greater role in improving security. U.S. Sen. John Cornyn, R-Texas, applauded the agreement and said such collaboration could forestall action by Congress to set security requirements and penalties.