In New Deal, Sepio Systems Will Pay Customers It Fails To Protect
'The idea is that if our solution is not delivering the level of security that our customers expect, as long as the system is installed, there will be insurance coverage for any damage and loss caused a by such an attack, a potential attack, to a customer,' Sepio Systems CEO Yossi Appleboum tells CRN.
Sepio Systems is offering a new benefit to customers that solution providers said could boost its rogue device mitigation software business: a payout for damages if the software fails.
The Rockville, Md.-based security startup recently announced a new strategic partnership with German reinsurance firm Munich Re Group, whose venture capital arm, has contributed to $4 million in new funding to the company's recent Series A round. The company's total funding is now $15 million.
[Related: Microsoft Makes Azure Sphere GA To Secure IoT Devices]
As part of the partnership, Sepio is now offering a performance guarantee for its rogue device mitigation software, which protects business networks against IoT devices, computer peripherals and other kinds of devices that can get infected by attackers. The insurance, which comes at no extra cost to existing and new customers, is backed by a subsidiary of Munich Re.
Yossi Appleboum, co-founder and CEO of Sepio, told CRN that his company is offering the performance guarantee because he is confident in Sepio's security capabilities. But at the same time, he said, he wants Sepio to be there for its customers if the software fails to protect against an attack.
“The idea is that if our solution is not delivering the level of security that our customers expect, as long as the system is installed, there will be insurance coverage for any damage and loss caused a by such an attack, a potential attack, to a customer,” he said in an interview, “which is as far as I know, and unique and maybe the first time something like that is being offered in the industry.”
When asked about the details of the performance guarantee policy and how Munich Re will determine payouts for customers, Appleboum was light on details.
"Since [Munich Re] the re-insurer, they will be part of the process with the customer in case of a claim. So, they will know everything," he said in a follow-up email.
Andre Knoerchen, head of new technologies and artificial intelligence underwriting at Munich Re, said the company's specialists vetted Sepio's technology and found it "superior to existing rogue device detection and mitigation techniques."
"This partnership is just the first step in a long and collaborative relationship where customers will benefit from Sepio's ability to create unique and innovative solutions to secure hardware devices while being backed by Munich Re's performance guarantee insurance," Knoerchen said in a statement.
Sepio's software uses a combination of physical fingerprinting technology and device behavior analytics to give businesses what it says is "full visibility into their hardware assets and their behavior in real time." With a full inventory of a company's hardware assets, Sepio gives IT administrators the ability to set usage rules for devices at a granular level and continuously monitor networks for threats.
While IT needs have radically changed in the past few weeks, with many businesses sending employees to work from home, Appleboum said Sepio's software is equipped to deal with work-from-home environments where employees plug their own peripherals, like keyboards, into their work PCs.
"They don't have any visibility into the peripherals. They don't have any clue what is being connected at any time. And they don't have any ability to control that," he said. "And that's insane. And this is where our solution, out of the box, in no time, can bring immediate value and security to our customers."
Hacking into a mouse to gain control of a system may sound outlandish, but there are documented instances and research showing it can be done, according to Appleboum. For instance, another cybersecurity startup, Bastille, found in 2016 that millions of wireless mice can be penetrated because of the way they use unencrypted signals to connect with a PC.
"Your keyboard is an IoT device by any definition," he said. "It has a computer. Inside there is a small microcontroller. It has access to your data and access to your infrastructure. So that's an IoT device."
Michael Crean, president of Solutions Granted, a Virginia-based managed security services provider, said if Sepio is providing the performance guarantee to new and existing customers at no extra cost, it could help the software vendor win the confidence of businesses who may be on the fence about a relatively new category in security software like rogue device mitigation.
"If they're going to grandfather this in to all of their existing customers, then I think they are putting their money where their mouth is," he said. "And I believe they're standing up and saying, 'We've got it. We're good. We know it. And we're going to show it by doing this.'"
The big question about Sepio's performance guarantee is the fine print, according to Crean.
"The devil's in the details," he said.
Crean said the insurance reminds him of the $1 million threat protection guarantee program offered by endpoint security vendor SentinelOne.
"It's just interesting to see. Is this a sign of things to come?" he said.
Justin Kallhoff, CEO at Lincoln, Neb.-based MSSP Infogressive, said with Sepio's performance guarantee, the vendor is "hedging [its] bets for a customer acquisition increase" while acknowledging the reality that no security solution is ever 100 percent bulletproof.
"Anybody that says we're going to prevent all breaches, customers should get concerned, so you bridge that gap through insurance. You give people that comfort and cybersecurity," he said.
Kallhoff said he has considered adding cybersecurity insurance to Infogressive's portfolio of solutions and services but doing it right can be challenging legally and even politically, pointing to legal challenges the National Rifle Association is facing over insurance products it offers.
"I think it's tough because of the laws and challenges around insurance and how it gets applied to technology, particularly cyber risk," he said. "That's the reason not many security companies are solving that problem."