Data management vendors Druva, AvePoint and Rubrik have begun offering guarantees that will recoup the costs of data that cannot be recovered, although analysts advise customers do their due diligence when signing up.
Customers of such vendors can often choose to add a data resiliency guarantee as part of a larger cloud security offering. Many of these guarantees cover data loss due to incidents including ransomware, personnel error or application failure, and they are often free with the purchase of or subscription to a service. If a customer experiences data loss as defined by the agreement, the vendor will make a payout based on recovery incident expenses.
Guarantees range from AvePoint's $1 million up to Druva's $10 million. Infinidat and Rubrik also offer similar guarantees, and Dell plans to roll out its own in January. Druva has reported customers in the double digits since it began offering the agreement in August.
Phil Goodwin, research vice president at IDC, said these guarantees have become a differentiator in cyber recovery offerings.
"Cyber recovery and cyber attacks are such big concerns now that IT organizations are looking for anything and everything that can help them in their defense against those kinds of attacks," Goodwin said.
But analysts also sounded a word of caution about such guarantees, saying that for customers to reap any benefit, they need to read the fine print.
What vendors are offering
More than half (58%) of the IT and cybersecurity professionals surveyed reported that data recovery testing is part of their ransomware plan, according to research from TechTarget's Enterprise Strategy Group. In addition, nearly 9 in 10 organizations are concerned that their backup copies could be corrupted by ransomware attacks, with 43% reporting that they are very concerned.
Data resiliency guarantees provide another way in which disaster recovery and data backup vendors are addressing those concerns.
AvePoint's agreement launched earlier this year as part of its Ransomware Protection Toolkit. A customer must purchase AvePoint's Ransomware Warranty as part of a subscription to its AvePoint Cloud Backup service. Customers pay a price for the guarantee, but the vendor declined to disclose the amount.
There are services customers can purchase to prevent a ransomware attack, but they should also consider options such as guarantees if these services fail, according to John Hodges, senior vice president of product strategy at AvePoint.
"This comes from ransomware where encryption takes place, not all of a sudden and having one big attack, but something that takes time," he said.
To be eligible for Rubrik's data protection warranty, customers must purchase a subscription to Rubrik's Enterprise Edition, the company's ransomware remediation offering, or be using Rubrik Cloud Vault, its fully managed cloud service. Customers also need a subscription to Rubrik's Customer Experience Manager (CEM) service. The CEM provides a monthly check to confirm proper configuration and adherence to security best practices, according to the company.
Rubrik Enterprise Edition tiers start at 250 TB for $250,000. Rubrik Cloud Vault customers start at the same minimum data requirement and need subscriptions to both the Enterprise Edition and CEM service to quality.
For Druva, the guarantee is available to those customers that purchase the Security Posture and Observability license, a SaaS offering. Existing customers are eligible if they satisfy the program criteria.
Stephen Manley, CTO at Druva, said the company's guarantee was a way to compete with its larger competitors. It offers coverage up to $10 million and covers against cybercrime as well as human, application, operational and environmental risks. Long-term data retention is also part of the deal.
"We're also going to guarantee that that data can't be leaked, compromised, exfiltrated -- anything to that effect from the cloud," Manley said.
Caution advised when signing
Marc Staimer, president of Dragon Slayer Consulting, said the guarantees are an attempt to create a level of assurance for customers. If customers take the time to review the guarantee, he said, they'll learn under what circumstances it applies and what the vendor will do if it fails. He added that payouts aren't likely to be more than what the customer pays for the overall security service, and that to receive a payout, documentation showing the software or system didn't meet the terms of the guarantee would be needed.
"There's nothing wrong with the guarantee -- it makes it seem like the vendor has more skin in the game and faith in the product," Staimer said. "It's a good thing, but you need to read the fine print."
For example, he said, many guarantees don't cover data loss from phishing, a form of fraud in which the attacker pretends to be someone else in an email or other form of communication.
Cohesity, another disaster recovery vendor, echoed the point in a blog post last month. The vendor, which does not offer a guarantee, urged customers to "read the fine print," noting that many guarantees don't cover data loss due to malware introduced by a third party or personnel through a breach in system security, and that customers have to meet conditions and requirements to qualify for a payout.
According to Rubrik's agreement, data loss due to malware introduced by customer employees, vendors and contractors is not covered. AvePoint's agreement requires that the customer comply with security measures to receive a payout, such as maintaining up-to-date endpoint security, including antivirus protection, and implementing security measures and AvePoint-approved best practices.
IDC's Goodwin added that it's important to understand a data resiliency guarantee is more like a warranty than cyber insurance, which helps reduce financial risks associated with doing business online. He said both are a good idea, and it's important to understand the details.
"There's certainly opportunity for misunderstanding on what is covered and not covered," Goodwin said.