The Key to Discounted Cyber Insurance: A 'Bug Bounty'?
As cyber insurance evolves to account for new threats and cover developing international markets, one company is looking to leverage the prospect of cheaper insurance to change the way corporations acknowledge and address their cyber risk. Coalition, a cyber insurer founded in 2017 that offers cybersecurity tools and cyber and technology insurance plans to small- and medium-sized businesses, announced a partnership with “bug bounty” and vulnerability disclosure platform HackerOne. Under the terms of the partnership, Coalition’s policyholders will receive discounts on their policies if they use HackerOne’s services, which connect companies with “white hat” hackers that help discover and disclose software vulnerabilities in digital platforms, products, and IT systems. As part of the service, companies must set up “bug bounty” programs that offer compensation for hackers that uncover vulnerabilities. HackerOne takes a percentage of this compensation, which can vary depending on the type and severity of the vulnerability discovered and is set by each individual company. The partnership, which came about in part because Coalition co-founder John Hering also sits on the board of HackerOne, will see Coalition host HackerOne’s response app on its cyber risk management platform. The app includes cybersecurity tools that its policyholders can use for free. Though Coalition has only announced a partnership with HackerOne, Joshua Motta, founder and CEO of Coalition, noted that cyber policy discounts “are not exclusive to HackerOne customers.” “So anyone who has a bug bounty program or a vulnerability disclosure program, even if it’s a program they run by themselves or with a competitor of HackerOne, are still eligible for the discount from Coalition,” he explained. He added that while the amount of such discounts will “change from client to client because different companies request different coverage from us, and also because companies are different” in sizes and need, the discounts are generally “in the order of magnitude of 10 to 15 percent.” Motta explained that the impetus for the partnership and discount program was to change the way companies think about and address vulnerabilities in their software to better lower their cyber risk. “There is a temptation amongst companies, and even within the insurance industry, that it is better to know less about bad things, about vulnerabilities, because it can potentially expose you to more legal liability if you’re later on found to have ignored those things. And obviously I think that is a flawed way of thinking,” he said. Of course, software vulnerabilities are only part of the way hackers can access their victim’s systems. But Motta noted that because companies are free to design their bug bounty and vulnerability disclosure programs as they see fit, vulnerabilities can be defined broadly, such as specific email phishing threats. Exploiting software vulnerabilities to gain access to a system, however, has been an effective strategy behind some of most notorious cyberattacks. Vulnerabilities in Windows XP, for instance, paved the way for the worldwide WannaCry ransomware attacks that occurred last spring. Unsurprisingly, bounty programs are becoming increasingly common in the tech and corporate world, with companies such as Facebook, Microsoft and Uber offering compensation for vulnerability disclosures. They also have caught on in the federal government as well, with the Department of Defense launching its “Hack the Pentagon” and “Hack the Air Force” programs.
