Cohesity: Don’t rely on ransomware guarantees

Cohesity has suggested that ransomware recovery failure guarantees – such as the ones that Druva and Rubrik offer – are not worth the paper they are written on.

This is because the most common attack vector for ransomware – phishing (employee error) – is excluded.

The customer also generally has to abide by some definition of best practices, which is a recipe for legal dispute. They don’t cover ransom payments either.

Tim Robbins, Cohesity
Tim Robbins

Tim Robbins, Cohesity chief legal officer, told us in a briefing that he’d read the Druva and Rubrik ransomware guarantee documentation. He said: “The first thing that stands out to me is … there’s some right upfront exceptions and these definitions … exclude most forms of ransomware attack – particularly foreign intrusion.”

Our understanding is that if you download software in your environment thinking it’s a harmless application and it turns out it hides ransomware, you are not covered. Additionally, these companies don’t pay the ransom – they pay recovery costs.

A look at the Rubrik and Druva warranty agreement documents bears this out:

Cohesity is critical of such exceptions
Druva ransomware exception from its resiliency guarantee agreement
Cohesity is critical of such exceptions
Equivalent Rubrik exclusions from its Recovery Warranty Agreement

Robbins said these definitions “exclude the things that are most dangerous and most common – for example, losing your credentials, turning your credentials over to the bad guys. That’s the number one cause of ransomware or foreign third-party intrusion into your network.”

Our understanding is that general cyber security companies do not offer ransomware guarantees against phishing and equivalent attacks because they are so difficult to prevent. Robbins agreed.

A disadvantage of ransomware guarantees is that they can put the customer and supplier into an adversarial relationship instead of a cooperative partnership. Robbins characterized this as “a blame game, rather than a team recovering when the chips are down.”

Then he revealed that Cohesity had offered to match these guarantees in some customer deals. “We’ve offered them. We said, if you really need it, to check the box or something, we would match these guarantees. But we tell them why they’re not worth it. We think they’re negative value. And we’ve never had a customer ask us for one.”

Druva and Rubrik

A Druva spokesperson said: “While cyber crime is on the rise and customers are looking for any advantage they can get, they are right to be discerning about the value of recent ‘guarantee programs’. Many programs are 1) singularly focused on specific threats and/or 2) are loaded with legal jargon to exclude, disqualify, or otherwise limit payout. The reality is many of these guarantees are first and foremost marketing campaigns in disguise. Fortunately for Druva customers, none of these conditions apply to our new Data Resiliency Guarantee.

“In fact, our guarantee includes five service-level agreements (SLAs) that cover the ransomware limitations and exclusions that Cohesity references. We also cover four other common data risks including human risk (ie accidental deletion), operational risk (ie data rot/corruption), application risk (ie backup reliability), and environmental risk (ie uptime). More importantly, Druva’s standard customer agreement already includes many of these clauses.

“In other words, our customer commitment, and the technology to support it, has been in place and proven out over years. The Data Resiliency Guarantee simply formalizes our commitment with a financially backed guarantee. As for abiding by best practices, we do require customers to use the features we built to protect their data, and to use industry standard best practices. We do not believe this puts us at odds with our customers.

“Finally, given Druva is 100 percent SaaS, it is in our best interest to help our customers successfully combat ransomware. A well-structured, straightforward guarantee gives customers the confidence that we are putting skin in the game to work with them, rather than making it ‘their problem’.”

When asked about Cohesity’s points, a Rubrik spokesperson replied: “We don’t have anything to share on the topic at the moment.”