The ransomware warranty: guarantee or gimmick?
October 2022 by Cohesity
Into the spotlights with Lynn Lucas, Chief Marketing Officer at Cohesity, leader in next-generation data management.
Global Security Mag : Since the beginning of the year, have you noticed the rise of new cyber threats?
Lynn Lucas: Threats are constantly evolving, but the reinforcement of the trends observed in recent years and especially the increased efficiency of existing techniques are particularly worrying. ransomware is the most obvious example.
The figures are impressive. By 2031, ransomware is expected to attack a business, customer, or device every two seconds, costing victims around $265 billion annually—according to Cybersecurity Ventures.
Global Security Mag : How should technologies evolve to counter these threats?
Lynn Lucas : The technologies to prevent these attacks and restore systems in a very short time exist. But even when employees are trained to identify the risks, incidents still occur.
In this context, insurance companies have set up offers to support companies that might not be able to recover from an attack. In parallel, other companies have been inspired by this business model to develop their own warranties.
But obviously, given the sums involved, these guarantees come with exclusions that can be penalizing. It’s amazing what some companies will promise just so you’ll buy their products. But if and when a victim needs to make a warranty claim, it should get ready to read the fine print.
In most cases, these warranties will not:
Cover any malware introduced by a third-party into your internal systems through a breach in your system security. For example, if a hacker from a foreign country were to breach the company’ security and introduce malware, that wouldn’t be covered.
Cover any malware introduced into internal systems by an employee through a breach in the system security. As an example, by way of certain types of phishing (note: CISA says 90% of all cyberattacks begin with phishing).
And if those exclusions don’t scare them away, here’s just a sample of the dozens of additional conditions a company will need to meet to exercise the warranties:
Sign up for a monthly health check and follow all instructions regardless of how burdensome or costly. If not, no payout.
Continuously download all new versions and patches. If not, no payout.
Obligation to follow both (a) the rules in the frequently changing “security hardening” document and (b) “then-current” industry best practices regarding the protection of access credentials, an area phishing attackers regularly target. (how these “best practices” are defined is open to interpretation and left to the subjectivity of the vendor.) If not 100% compliant, no payout.
Pay for a non-refundable customer experience manager consulting service. If not, no payout.
Agree to a public case study of how you were compromised. If not, no payout.
Ask permission of the vendor before you begin incurring costs to recover from the attack. Expenses will not be covered.
Even if the company somehow manages to prove it had met the multitude of conditions and requirements, that would only qualify for reimbursement of actual pre-approved data recovery, restoration, or re-creation expenses after they’ve been incurred.
Interestingly, any ransomware payments that have to be made aren’t eligible for reimbursement.
Global Security Mag : What are the highlights of the solutions you provide ?
Lynn Lucas : Instead of these gimmicky warranties, Cohesity has developed FortKnox, a real technology solution that stands on its own. It improves cyber resiliency with an immutable, “gold copy” of data in a Cohesity-managed cyber vault. This empowers organizations to prepare for and recover quickly from attacks, with granular recovery back to the source, or an alternate location, including the public cloud. Thanks to its “virtual air gap,” always-on, multi-layered security features, and ML-based anomaly detection, FortKnox protects companies not just from ransomware but also against insider threats in ways others simply can’t.
Our offer includes an additional layer of real ransomware protection that may help qualify for cybersecurity insurance, industry-leading SaaS and self-managed data protection, the most scalable data security and data management platform in the industry.
In addition, we have implemented what we believe is the best Security Advisory Council out there. It’s led by Board member Kevin Mandia, the world’s leading cybercrime fighter.
We will match the same warranties as our competitors, but it won’t protect companies any more than theirs do. We’d rather offer our clients the guarantee of a world-class data security and management platform, with the benefit of a world-class Security Advisory Council.
Global Security Mag : What message would you like to send to CISOs?
Lynn Lucas : In France, despite the voices raised against these practices, the legislation is evolving in favor of insurance reimbursements of costs caused by ransomware attacks. These practices are to be distinguished from gimmicky guarantees that might subject companies to a significant risk, rather than protecting them. Prevention, security planning, reliable technology selection and regular testing combined with adequate employee training are the best possible protections against ransomware. Don’t be fooled by misleading offers!