Is Rubrik's Ransomware Warranty Worth the Paper It's Written On?

Editor’s Note: This article reflects the personal views and opinions of the writer and not of our company or publication. The views expressed by the writer are based on their interpretations of the Rubrik USD $10 Million Ransomware Recovery Warranty's terms and conditions which can be viewed at this link.  We acknowledge the possibility that the writer’s interpretations of these terms may have inaccuracies or errors. To this end, we made efforts to contact Rubrik and shared the main points of this article with them. We’ve invited them to fact-check and comment on our points, however, they declined to do so. Readers who want to review the writer's opinion can access the warranty terms and conditions to assess whether they agree with the points made below.

Earlier this year, my attention was “grabbed” by a spate of enthusiastic Rubrik employees hitting my social media timeline, extolling the company's recent(ish) announcement that they are expanding their ransomware warranty to provide a maximum coverage of USD $10 million.
 
It made for great headlines, but it got me curious. I know that Rubrik lays claim to having the best technology as the last stop against ransomware, namely being able to recover your data in the event ransomware "locks you up." So, was this insurance a case of them literally putting their money where their mouth is?
 
I decided to take a deeper look to find out. Spoiler alert! I am going to tell you my conclusion before I share the details. My conclusion? The warranty insurance is a nice marketing gimmick, but it falls down on being materially useful or valuable.

Let's deal with the elephant in the room first. What is it that Rubrik is insuring you for? Perhaps more pertinent, what is they are NOT insuring you for? If you look at the marketing talk of any data protection company, they will tell you the real value of your IT assets is the data, not the technology itself; you can always buy new tech, but if you lose your data, that's the real cost to your business.

So, with that in mind, let's ask this question:

Q - Does Rubrik's insurance cover you for the cost of your lost data?
A - NO.
 
So, to be clear. If you have a Rubrik solution with ransomware warranty and you can't recover your data from a ransomware attack, then Rubrik WILL NOT be covering the cost of all that lost data.
 
What, then, do they cover? Based on the terms of their warranty, they describe a "Recovery Incident." This essentially means that if you are unable to recover your data from a Rubrik "Eligible Solution" (more about that later) due to a ransomware attack, Rubrik will pay what they describe as "Recovery Incident Expenses." Essentially, this covers the money you spend unsuccessfully trying to recover your data from your last successful Rubrik backup that was compromised by the ransomware incident.
 
So, the USD $10 million is based on the costs you spend specifically trying to recover data from the Rubrik backup. It's difficult to see how any company could show hard cash spent of USD $10 million trying to do a backup recovery. In fact, I would argue if it’s that difficult and expensive to recover data from a Rubrik device, you have to wonder if their claims about quick, seamless recovery are justified. You can't have it both ways. (Note: I am being facetious, Rubrik has excellent recovery capabilities, and no company will spend USD $10 million on data recovery efforts).
 
But let’s entertain this notion for a moment that unsuccessful recovery efforts could become that expensive, what items might contribute to the cost?
 
Well arguably, going to third parties (like other security companies) to get assistance with data recovery efforts could become expensive, and Rubrik will cover this but only if they approve it in writing BEFORE you procure such services. Imagine the time pressure of trying to get access to your data which Rubrik have failed to recover, and you must seek permission from them before you use an alternative provider. There is no SLA on how long they will take to approve, and what if they refuse to allow you to use a particular provider, what happens then?
 
And by the way, if you do use a third party to help you, according to the warranty terms, that provider will also have to sign up for the warranty Ts and Cs.
 
If you check the statistics, a surprisingly high number of cyber attacks emanate from the inside, as insider attacks are a known and genuine problem.
 
But in the realm of Rubrik's ransomware warranty, such attacks don't count. If you scrutinize the fine print, you'll notice this line: “Rubrik determines that the Ransomware Incident was not caused by Customer’s (or Customer’s agents’ or contractors’) negligence or misconduct.” In other words, if you fall victim to an inside job (which many companies do), Rubrik is off the hook.
 
This clause (specifically the use of the word ‘negligence’) also leaves a question mark over victims of social engineering attacks. If a member of staff is successfully phished or scammed, leading to them opening your systems to a breach, can Rubrik argue that this is negligence? It would seem it's at least arguable.
 
But hey, USD $10 million is USD $10 million right? Wrong.
 
The amount you are insured for is based on a sliding scale of how much data you are protecting. For example, if you are protecting up to 500TB of data, your maximum payout will be USD $250K. Only when you are protecting over 10PB of data will the payout be up to USD $10 million. And that's not per incident, that’s the maximum payout for cumulative incidence.
 
I have no doubt that customers protecting 10PB of data will be spending far more money with Rubrik than those protecting 500TB. However, that shouldn't be the determining factor in an insurance payout. Let's bring it back to the value of data. Since data protection was a "thing," vendors in this space have justified the cost of their solutions on the value of your data. What is the cost to the business if you lose that data? On that basis, you can justify the cost of our solution.
 
Bringing the focus back to this warranty, it should revolve around the value of the lost data. For instance, 500TB of credit card transaction data that requires processing is significantly more valuable than 10PB of archived design files. But this warranty is not about compensating for lost data; it is about compensating for the cost of attempting to recover said lost data. Even then, the complexity of the data, rather than its volume, is likely to have a greater impact on the cost of recovery attempts.
 
What about once a payment is made, you’re good, right? Wrong. Even if Rubrik reviews your incident, determines it's eligible for a payment and makes that payment, if they then discover down the line that the incident was not new and was, in fact, what they term a pre-existing incident (i.e., an infection prior to Rubrik's solution being in place) they will demand their money back. I get the point, but it should be on Rubrik to diligently assess the claim and once they decide on payment, that decision should be binding.
 
When it comes to making a recovery incident payment, Rubrik is going to require receipts for all expenses incurred in trying to execute the recovery. Seems reasonable, but hold on, what does this mean in terms of operating expenses? Are Rubrik going to pay you for the time that your employees spend working on the recovery? If payment is only being made against hard receipts, I have to assume not. But how many times have you seen data protection vendors justify their solution by plucking figures out of the air about lost hours of staff productivity? (The question is rhetorical). Unless Rubrik is making payment for the hours staff spend on a recovery incident, a big chunk of your potential losses are being ignored.
 
When it comes to other requirements you need to have in place, it becomes clear that Rubrik is not a plug-and-play solution. In fairness, I don't believe they ever claimed as such, but from a marketing viewpoint, it can come across like it’s an "appliance" type play which does suggest simplicity. We know that in general, their solutions sit in the enterprise and it’s reasonable to expect that it will take skilled configuration and integration to get the solution up and running.
 
For the purposes of this warranty, customers must have what Rubrik describe as an "eligible solution,” and this means confirming to a lot of configuration requirements and agreeing to regular health checks. Without going into all the details, they list 23 configuration/best practice requirements which must be in place for your solution to be eligible.
 
This means that if anything falls out of compliance with this list, then technically, Rubrik can get off the hook. This is not an unreasonable ask, but it’s a case of “buyer beware.” How confident are you that you can "always" keep everything up to date and in compliance with the terms? Even if they fall out for 24 hours, as data protection vendors love to remind you, that might just be the 24 hours in which your ransomware incident occurs.
 
Also, some of the conditions for configuration requirements seem to be too open-ended for a warranty agreement. As an example, "Implement such other security measures and best practices as may be required by Rubrik from time to time over the course of the Warranty Period." These security measures and best practices are not limited to your Rubrik configuration, so you are handing over control to Rubrik as to what best practice means and allowing them to change that definition as and when they see fit.
 
We like Rubrik, and we believe they have a great solution. But in our opinion, this warranty is marketing hype to draw attention to their credibility when it comes to ransomware recovery. They would have been better served to provide advice and guidance on how you could use Rubrik to reduce your premium on specialist cyber insurance, which is likely a better bet for any company that is serious about insuring their cyber risk.

You might also like
Most comment
share us your thought

1 Comment Log in or register to post comments

parablu.user1@gmail.com's picture

"It's sad to hear about the recent data breach at Casio affecting customers worldwide. Incidents like these are wake up call as it's crucial for companies to protect sensitive data. These events underscore the importance of reliable data security solutions to prevent such breaches in the future. Recently, I've come across Best Enterprise Server Backup & Recovery Solution | BluVault (parablu.com). It is a company known for its top-notch data security offerings and seems like a promising option for companies aiming to strengthen their data protection measures. https://parablu.com/bluvault-for-server-backup/ Remember, ensuring the safety of customer data should be a priority for all businesses.