Following the announcement of our new Warranty Program, we’ve received some questions regarding the details of the policy. Continuing our line of transparency and accountability, we’re more than happy to release the full text of the warranty and also to answer some of the most frequently asked questions.
Q: What’s covered under the warranty?
Our warranty program is intended to provide our customers with financial compensation in the event damages are caused by an advanced persistent threat (APT) attack that is not detected by our MazeRunner deception platform.
This means the following has to occur for the warranty to be triggered:
- Cymmetria’s Client installs, and then properly deploys, maintains, and updates the MazeRunner Deception Platform – Enterprise Edition. Once the product has been installed for the first time and registered with Cymmetria, the warranty comes into effect following a waiting period (which is required in order to ensure proper integration and deployment of the product on the Client's systems).
- Following the waiting period, if the Client detects a breach that it believes can be attributed to a successful lateral movement by an APT, Client must inform Cymmetria immediately and provide us with all relevant information.
- Cymmetria will then examine the claim, and if the breach is indeed deemed to be covered under the warranty, we will pay for damages up to twice the annual licensing fee or up to $1,000,000.
Q: What’s an APT?
Our warranty uses a slightly modified definition of the NIST definition of the term. We define "APT" or "Advanced Persistent Threat" as:
an adversary that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors (e.g., cyber, physical, and deception). These objectives will include establishing and extending footholds within the information technology infrastructure of the targeted organizations for purposes of exfiltrating Protected Information, undermining or impeding critical aspects of a mission, program or organization; or positioning itself to carry out these objectives in the future. The advanced persistent threat: (i) pursues its objectives repeatedly over an extended period of time; (ii) adapts to defenders’ efforts to resist it; and (iii) is determined to maintain the level of interaction needed to execute its objectives.
Q: What damages are covered under the warranty?
Our warranty program covers several types of damages that can be roughly classified as (a) the cost of hiring attorneys and digital forensic experts in order to explore a successful breach event; (b) notification costs for affected parties (if the breach is of a nature that requires it) and continued services to affected parties; (c) costs to repair or to regain access to electronic data or software that are denied during the breach event.
Please note that if Cymmetria can help you mitigate the damages by performing some of these functions, we will provide those services directly and the Client will not be able to claim these as damages covered under the warranty.
Q: What’s defined as a breach event?
We define a breach event as:
an APT attack, via Cyberspace, targeting an enterprise’s use of Cyberspace for the purpose of disrupting, disabling, destroying or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing Protected Information, which results in an APT successfully gaining unauthorized access, taking, copying, modifying or exfiltrating Protected Information from the Client's system.
Please note that the warranty specifically excludes scenarios against which we offer no protection to begin with, such as ransomware attacks (we do not cover that or other crypto-attacks), DDoS, malicious insider activity, breaches of physical security or the flat-out buying of information from your organization.
It is also important to remember that a condition for the warranty to apply is that the breach event has to be the result of a successful lateral movement, which, according to the terms of the warranty, occurs when an attacker pivots through a network in order to gain access to other machines and services from the initial access point he gained on his initial foothold, after breaching the network.
Q: What’s the catch? What are you exempting from the warranty?
Our exceptions to the warranty program can be summarized very simply: we won’t pay for damages caused by an improperly deployed system or by an attack our product isn’t intended to defend against. This means that if a Client has (negligently or intentionally) caused the product to malfunction, if the attack comes from an attack vector that completely circumvents us (such as the selling of information by an employee) or if the attack is of a type that is specifically excluded (such as ransomware or DDoS) – the warranty will not be triggered.
Q: How will you review claims that are filed?
The process for reviewing a claim is fairly simple: once a Client notifies us of a potential breach, if they wish to activate the policy, they will be required to send over all the relevant information that they have for our review. We will perform an in-house review of the information (which shall be subject to the terms of confidentiality outlined in the Software License Agreement establishing the relationship between us and the Client). Our experts have proven expertise in the detection of APT activity and they will start analyzing the claim. At the same time, we will contact our underwriters to notify them of the claim. Once we have completed our investigation and received a decision from our underwriters, we will notify the Client of a claim decision. If the Client's claim is found to be justified, we’ll forward payment for damages within 90 days.
If you have any additional questions or comments, feel free to contact Jonathan Braverman directly at email@example.com.
Disclaimers and notes:
- This summary is meant to be used for reference only and is not a replacement for the text of the Limited Warranty Agreement, which is the binding legal document. For the avoidance of doubt, it is hereby stated that use of the MazeRunner deception platform is governed solely by the terms of the License Agreement between Cymmetria and each Client. In the unlikely event of a contradiction between the terms of this reference document and any other document (such as the Limited Warranty or License Agreement), the terms of the Limited Warranty or License (whichever is applicable) shall govern over this summary.
- With the exception of the coverage offered by the Warranty program, MazeRunner is provided "as is" and Cymmetria claims no liability for any other damages for use of the product.
- The warranty program is not available for the MazeRunner Community Edition.
- At the request of our underwriters and as a condition of coverage for the warranty program, we may not publicly disclose the identity of our carrier. We are also required to notify you that the carrier does not endorse the insured’s product nor any warranty of same and it does not make any affirmative promises with respect to coverage of the warranty disclosed pursuant to this transaction. As you know, every claim is different and coverage is afforded pursuant to the terms and conditions of the applicable insurance policy.
- The contents of this document were last updated on December 6, 2016 and are subject to change without notice.
- Cymmetria reserves the right to suspend, cancel or discontinue the warranty program at its sole discretion, without notice.