Requirements to be Listed on This Site:
To be listed on this site, we have a few basic requirements for all vendors:
- The vendor must have a security offering.
- The vendor's warranty must cover it's security offering (E.g. not other things related to business continuity, or equipment breakage, etc.).
- The vendor must have a warranty that is public (can be linked to) and not just word of mouth.
- The vendor must make it's warranty terms public and notify us of changes to those terms.
- The vendor must act in good faith. If we identify companies who fail to make whole the terms of their warranties, we reserve the right to remove the vendor from this site.
In the spirit of transparency, we want to make certain that we weigh things openly and honestly. As such we are making our grading system public, and availble for anyone to use themselves, especially as they are designing their own warranty:
- 40 points - Warranty & Remedies
- Are the marketing materials aligned with terms
- Covers most likely issues and in an amount approximate to real-world loss expectancy
- Most commonly sold product or limited offering
- Normal usage or (realistic) best practices
- Product cost/refund/extension
- Direct expenses: Ransom, Forensics, Remediation, Notification, Credit Monitoring, Fines & Penalties, other
- Separate cost to customer such as premium charge or deductible: No/Yes/Minimum spend to qualify
- 40 points - Financial Security
- Rated insurer (best)
- E&O insurer (better than nothing)
- Self insured (scored based on financial capacity)
- 20 points - Service/Claim Process
- Vendor is the only person the customer must deal with (best)
- Insurer is required to work with claim (so-so)
- 3rd Party is required to work with claim (bad)
Originally compiled by Jeffrey Smith at Cyber Risk Underwriters.
Maintained by Jeremiah Grossman and Robert "RSnake" Hansen at Bit Discovery.
Please contact @RSnake for errata or additions.