Cyber insurance has become a key risk management service for organizations bedeviled by the constant prospect of a crippling ransomware attack. And in a similar vein, some businesses may also now be able to further cover themselves by engaging in a warranty agreement with cybersecurity vendors.
Just this week, Rubrik, a provider of cloud data management and enterprise backup software, announced the launch of what it described as an industry-first warranty for post-ransomware attack data recovery and restoration services. This contract potentially covers up to $5 million in expenses in the event that that company is unable to recover protected data after a ransomware attack transpires. The objective: to instill a sense of confidence in current and potential customers that their data is in safe hands.
It’s not the first warranty offered by a cyber company, however. For instance, Crowdstrike in 2018 announced an endpoint breach prevention warranty, SentinelOne has a similar ransomware prevention warranty for subscribers of its malware protection solutions, and Deep Instinct offers a limited warranty that provides financial remedies to customers in the event of a ransomware incident.
But all these warranties seem to apply to cases of lapses in prevention, as opposed to failures in the recovery and resiliency department.
“In the past several years, some companies did threat prevention warranties, which is really about that external layer,” said Dan Rogers, president of Rubrik, in an interview with SC Media. “They're trying to prevent that threat from coming in. Ours is very different thing, [where] the bad guys have gotten through … But what we're going to give you is a way to recover.”
“In terms of data recovery, we've really pioneered” this warranty offering, Rogers continues. “And this is, essentially, putting our money where our mouth is, assuring our customers that we can recover for them.”
Forrester Senior Analyst Naveen Chhabra agreed that this is a new form of warranty to emerge in the cyber market, noting that it’s important that vendors can demonstrate their recovery readiness status to their clientele. After all, “they don’t want to be caught by surprise that, ‘Hey my backup is not ready, not available, incomplete or whatever.’ If they depend on your technology to backup with a defined SLA, you better give them the visibility,” he said. “So, this warranty is a step in that direction and a differentiator.”
That’s especially true, Chhabra pointed out, when you consider recent reports of the Conti ransomware gang developing techniques for destroying backups, in particular victimizing Veeam recovery software.
Rubrik offers its client a zero-trust data architecture air gaps the data it is charged with protecting, keeping it isolated yet always available, while also identifying and classifying any data it determines to be of high risk for exfiltration. When ransomware incidents occur, the company can also help with investigations. “We’re taking the snapshots of the data backups, we're looking to discover any anomalies, any unusual encryptions, any unusual deletions unusual movements in data,” said Rogers.
Rubrik also helps contain and mitigate incidents by providing victims with quarantined copies of their data to prevent infection, and then initiating recovery by feeding this data back into the applications that need it. The company believes this collection of services in total is foolproof enough to justify a guarantee in the form of a warranty.
Still, there’s always some level of risk when a large-sum payout is a stake. To mitigate these concerns, Rubrik requires its customers to follow a coded set of best practices in order to be eligible for the warrant. “These are industry best practices around how you do user access, how you have data health, [and] what the best policies and ideas are around data encryption,” said Rogers.
Additionally, customers are subject to health checks by a customer experience manager.
Indeed, Chhabra noted that a warranty offering could potentially backfire, unless the vendor has sufficiently hardened its platforms, develops a “deep arch understanding of a customer environment,” and ensures that clients have implemented the proper stack of solutions as recommended by the solution provider.
Another suggestion is for the vendor to insure themselves against an incident that might trigger a warranty clause. In fact, “many ransomware warranties are underwritten by insurance companies, which cover the cost of any payouts that may be needed, meaning they’re basically cyber insurance by another name,” said Brett Callow, threat analyst at Emsisoft.
So does that mean ransomware/breach warranties might in some cases preclude the need to also invest in insurance, or might a warranty simply help supplement insurance contracts? “How useful these warranties are and whether they may reduce the need for other forms of insurance really depends on the terms of the individual warranty," said Callow.
Chhabra, however, believes that warranties will “not eliminate the need for cyber insurance,” he said, adding: “Understand that cyber insurances cover an organization more holistically from possible cyberattacks. Ransomware is just one of them.”
While this may be the case, Rogers does hope that a ransomware/breach prevention or recovery warranty can at least help companies “reduce their premiums,” or even become eligible for coverage because cyber insurance companies “will look at this, versus other companies, and say, ‘Hang on, you guys have got a warranty on your recovery and these other companies don't.’”