Not every cyber security service offers a warranty and that has implications for their clients.

When a company that provides Endpoint Detection and Response (EDR) solutions recently introduced a new product, it offered up to $1 million of no-cost insurance coverage to customers to help spark interest. Wow. The marketing scheme worked and the company soon signed up big-name businesses. (EDR solutions are high-tech security systems that use automation to detect suspicious activities and enable teams to identify and respond to intruder threats.)

But what if your cyber security services provider does not offer a warranty?

We can learn a valuable lesson from this: managed IT services providers who offer a no-cost warranty can attract customers without breaking their own business budget.

But it also raises an important “just in case” question for client businesses: a law firm or other organization may have a layered, top-notch cyber security system in place, but what happens if a cyber hack occurs anyway and the cyber security services provider does not offer a warranty? Many security providers in fact do not offer such warranties, so a customer could be on the hook for any internal damages — like lost time and costs to rebuild the system — and external lawsuits brought by the victim company’s own clients.

One solution, of course, is for a company to buy its own insurance. But that can be expensive. Another solution is to investigate whether the security provider will attach the client to the provider’s own policy. That way, a cyber incident will generally be the provider’s problem, not the client’s (of course the client should have its legal adviser review the insurance contract). This can also be a good way to determine just how much confidence the security provider has in its own product. A provider that will not add a client to its own cyber policy may not be all that confident about the underlying product.

At eMazzanti Technologies, each year we get a few of these requests and, if the client’s policies and procedures pass a careful review, we generally will add them to our insurance policy. We also carefully detail, in writing, our responsibilities and the client’s responsibilities. If at that point, the client suddenly does a turnaround and declines to be added to the eMazzanti policy, we ask them to sign a waiver documenting their decision.

A cyber security provider that is willing to add a client to its insurance policy actually delivers services beyond the trust and financial protection it already offers. For example, when the cyber security provider vets the client’s practices (prior to adding them onto its own insurance), the provider may uncover procedural or other weaknesses that the client was unaware of and can now take steps to correct.

There may be reasons why a company wants to maintain its own cyber liability coverage, but right now, few companies are even asking their cyber security providers about this option. Perhaps more should consider it, particularly if their trusted legal adviser suggests it.

Carl Mazzanti is president of eMazzanti Technologies,  a cyber security and IT support organization based in Hoboken, NJ. The company can be reached at [email protected]