Citadel Security to offer software insurance for companies

Computerworld - Citadel Security Software Inc. today announced an insurance plan under which customers that use its Hercules vulnerability remediation product will be reimbursed for the cost of restoring systems or data if their networks are attacked and Citadel fails to meet its service-level agreements.
Dallas-based Citadel has acquired a policy from insurance giant American International Group Inc. (AIG) to cover its obligations under the warranty program, which will be offered at no extra cost to its customers. The amount reimbursed would be limited to the amount of the customer's Hercules contract.
The program is designed to bolster customer confidence in Citadel's products, while also holding the company accountable for its own technologies, said Citadel CEO Steve Solomon said in an interview with Computerworld.
"A lot of people deliver software, and that's where it stops," Solomon said. "We are putting our money where our mouth is."
The Citadel warranty program marks the first time that a major insurance company is backing a security product, said Phebe Waterfield, an analyst at Yankee Group Research Inc. in Boston.
From a customer standpoint, these sorts of guarantees are important because they demonstrate a security vendor's willingness to stand behind its products, she said. Though the real cost of a security breach often goes well beyond the immediate cost of restoring damaged systems and data, the Citadel warranty is a step in the right direction, Waterfield said.
"What I'd really like to see is these kind of guarantees being offered on all firewall, antivirus and intrusion-detection products," she said.
Citadel's announcement received an endorsement from U.S. Sen. John Cornyn (R-Texas). "This is a creative solution to the cybersecurity problem and signals a new direction in the willingness of software makers to guarantee the performance of their products," Cornyn was quoted as saying in a statement from Citadel.
House Government Reform Committee Chairman Tom Davis (R-Va.), who in the past has called for the private sector to take more responsibility for securing critical infrastructure, also praised the move by AIG and Citadel. "This collaboration is the kind of outside-the-box, industry-led, market-driven approach to securing information that we need to see more of," Davis said in an e-mailed comment to Computerworld.
Citadel's Hercules Security Compliance and Vulnerability Remediation software is an automated tool designed to help companies identify and fix vulnerabilities resulting from software flaws, unsecured accounts, unnecessary services, misconfigurations and back-door programs.
Under the company's new SecurePlus warranty program, Citadel will guarantee the delivery of " timely, accurate and effective remedies" for known software vulnerabilities, according to a