Palo Alto Networks Granted U.S. Department of Homeland Security SAFETY Act Certification

We are pleased to announce that we have received the U.S. Department of Homeland Security’s (DHS) SAFETY Act Certification for Palo Alto Networks Next-Generation Firewall and a number of related subscription services that are fully integrated within our security platform. The services included in this certification are Threat Prevention, URL Filtering and WildFire (which identifies and automatically generates preventive measures against zero-day and advanced persistent threats).

SAFETY Act Certification is an important development that not only benefits Palo Alto Networks but also helps provide liability protection for our customers.  Specifically, SAFETY Act Certification will also provide certain benefits for our customers if they are the victims of a terrorist attack, provided that certain conditions are met.

However, because the SAFETY Act liability protections have never been invoked, we believe it’s critical and responsible that we clearly explain the history of the SAFETY Act, the requirements needed for the Act to apply, and the overall benefits and limitations of the Act.

As indicated by the name, this Certification is derived from the Support Anti-Terrorism by Fostering Effective Technologies (SAFETY) Act. SAFETY Act Certification provides third-party liability protection to sellers and users of covered products and services in cases where the product or service is implicated in a third-party lawsuit arising out of an act of terrorism. SAFETY Act protection can only be triggered if the Secretary of Homeland Security formally designates the attack as an “Act of Terrorism.”

The program was enacted after September 11 to ensure that the threat of legal liability did not deter the development and deployment of anti-terrorism technologies that could save lives. This protection was originally granted for physical products, like X-ray machines, and explosive detection products; but as the threat environment has developed, the SAFETY Act has been expanded to include hardware- and software-based cybersecurity technologies.

To receive the Certification, we underwent a rigorous vetting process over a year-long period, submitting thousands of pages of documentation to the Department of Homeland Security to demonstrate the high quality of our next-generation firewall and related subscriptions. We voluntarily underwent this process because we recognize that the SAFETY Act Certification, like numerous other certifications we’ve received, provides important validation and assurances to our customers.

On principle, we are foremost focused on working with governments and businesses around the world to implement our next-generation security technologies to proactively prevent cyberattacks as a principle means of reducing an organization’s overall cyber risk. We view potential liability protections after a cybersecurity incident has already occurred, like those provided by the SAFETY Act, as a complement – not a substitute – for a comprehensive cyber risk management strategy built on a foundation of a prevention-first security architecture.

The SAFETY Act establishes a useful system for “risk” and “litigation management” for sellers and users of SAFETY Act-certified products, but it does not provide blanket liability protections. There are several conditions that must first be met in order for the protections provided under the SAFETY Act to apply.

First, as noted above, the Secretary of Homeland Security must formally declare that an “Act of Terrorism” has occurred. To date, the Secretary has never declared an “Act of Terrorism” for SAFETY Act purposes, and no vendor or user of a certified product has invoked the protections of the Act. Further, the SAFETY Act only protects Palo Alto Networks and its users if the reason a designated “Act of Terrorism” occurred, and was successful, was explicitly because the SAFETY Act-covered product failed in some way. If the “Act of Terrorism” was successful for reasons unrelated to the failure of the covered product, such as the failure of another vendor’s product or a customer’s negligence in its security practices, the Act will not apply. Finally, the SAFETY Act protections only apply to third-party lawsuits. The Act does not prevent regulatory or other types of claims against customers of a certified product.

SAFETY Act protections are conditional and unprecedented, but the U.S. Congress and Department of Homeland Security established this program as an investment in risk management against terrorist attacks. While we believe it is prudent to have a comprehensive risk-management strategy, preventing successful attacks remains the focus of our company and the core functionality of our next-generation security platform.