The ransomware warranty: guarantee or gimmick?

With all due respect to Ben Franklin, we believe there are three certainties in life: death, taxes, and now, ransomware.

By 2031, ransomware is expected to attack a business, customer, or device every two seconds, costing victims around $265 billion annually—according to Cybersecurity Ventures.

Just last month a ransomware attack hit the Los Angeles Unified School District, the second largest in the U.S. Hackers demanded a ransom and leaked over 500GB of stolen data.

So if ransomware is inevitable, wouldn’t you want a ransomware warranty? Just in case? After all, who wouldn’t want a guaranteed payout if and when the worst ends up happening?

But buyer beware. As with most warranties, “terms and conditions apply.”

Real terms and conditions from major data protection and data security  warranties

It’s amazing what some companies will promise just so you’ll buy their products. But if and when you need to make a warranty claim, get ready to read the fine print.

Let’s start with the bad news before we turn to the worse news.

These warranties will not:

• Cover any malware introduced by a third-party into your internal systems through a breach in your system security. For example, if a hacker from a foreign country were to breach your security and introduce malware, that wouldn’t be covered.
• Cover any malware introduced into your internal systems by your personnel through a breach in your system security. As an example, by way of certain types of phishing (note: CISA says 90% of all cyberattacks begin with phishing).

And if those exclusions don’t scare you away, this might. Here’s just a sample of the dozens of additional conditions you’ll need to meet to exercise the warranties:

• Sign up for a monthly health check and follow all instructions regardless of how burdensome or costly. If not, no payout.
• Continuously download all new versions and patches. If not, no payout.
• Obligate you to follow both (a) the rules in the frequently changing “security hardening” document and (b) “then-current” industry best practices regarding the protection of access credentials, an area phishing attackers regularly target. (Keep in mind, too, that how these “best practices” are defined is open to interpretation and left to the subjectivity of the vendor.) If not 100% compliant, no payout.
• Pay for a non-refundable customer experience manager consulting service. If not, no payout.
• Agree to a public case study of how you were compromised. If not, no payout.
• Ask permission of the vendor before you begin incurring costs to recover from the attack.  If not, they won’t cover your expenses.

More deceiving still, representatives of these companies ask you to believe it’s a $5M to $10M payout. But read the fine print and you’ll see the amount is a mere fraction of what you paid the vendors originally. Plus, even if you somehow managed to prove you’d met the multitude of conditions and requirements, that would only qualify you for reimbursement of actual pre-approved data recovery, restoration, or re-creation expenses after you incurred them. And, adding insult to injury, any ransomware payments that have to be made aren’t eligible for reimbursement.

More harm than good

But you might be thinking, well, signing these warranties can’t do me any harm, right?

Wrong. Warranties tie your hands, as signing them limits you to a sole and exclusive remedy with those vendors and sets them up to blame you for causing the problem through a multitude of escape clauses. At the end of the day, warranties like these are little more than thinly veiled limitations of liability benefiting the companies—rather than you, the customer.

After reading through all the minutiae and legalese, one customer joked they’d probably be asked to dance in the rain next—the list of warranty conditions was that endless. Even our customers are discovering these warranties are a gimmick.

Cohesity FortKnox: no gimmicks, just gold

So if warranties aren’t helping you defend against ransomware, what will?

A real technology solution you can fall back on if the worst happens.

Cohesity FortKnox, our SaaS cyber-vaulting, data isolation and recovery solution, was recently named the Gold Winner in the Business Continuity and Data Protection category and won Best of Show at VMware Explore 2022.

FortKnox is a real technology solution that stands on its own—no gimmicks needed. It improves cyber resiliency with an immutable, “gold copy” of data in a Cohesity-managed cyber vault. This empowers organizations to prepare for and recover quickly from attacks, with granular recovery back to the source, or an alternate location, including the public cloud. Thanks to its “virtual air gap,” always-on, multi-layered security features, and ML-based anomaly detection, FortKnox protects you not just from ransomware but also against insider threats in ways others simply can’t.

Here’s what else Cohesity offers:

• An additional layer of real ransomware protection that may help you qualify for cybersecurity insurance, as it did for a metro Atlanta school district
• Industry-leading SaaS and self-managed data protection, trusted by nearly half the Fortune 100
• The most scalable data security and data management platform in the industry—one that’s better, faster, cheaper, and safer
• The best Security Advisory Council out there, led by Board member Kevin Mandia, the world’s leading cybercrime fighter. Trust us: This Council’s advice is worth more than any gimmicky warranty.

We will match the same warranties as our competitors, but it won’t protect you any more than theirs do. We’d rather offer you the guarantee of a world-class data security and management platform, with the benefit of a world-class Security Advisory Council.

Put us to the test.

We can’t help you solve death and taxes. But when it comes to ransomware, you’ll do better with us.

To learn more about Cohesity FortKnox, click here.