The Truth About Data Safety Warranties in Technology M&A

A warranty is an assurance by a manufacturer or seller that the item purchased will not have defects for a specified time. In the context technology M&As, warranties are often used to manage security and data availability risk.

Security warranties for data are becoming more popular among distributors. With ransomware expected to cost businesses $265 billion by 2031 and a trend to attack every two seconds, it is no surprise that they offer this new guarantee to their clients. These guarantees help reduce the economic risk associated cyberattacks by transferring legal responsibility to the vendor. They are typically provided as an additional benefit to cybersecurity insurance to cover gaps where insurance coverage might not be enough.

Security guarantees differ widely in their details however, they typically cover the loss of business revenue in addition to the additional expenses incurred and reputational damage caused by the breach. They may also include policies meant for legal responsibility, which covers the costs of allowing individuals impacted by an attack know as well as any penalties or fines resulting from lawsuits that could be filed.

While the idea behind a data security warranty is a good one, many of them are flawed. Consider the case of Rubrik, which offers an “Recovery Incident Warranty.” This warranty pays for what they describe as “Recovery Incident Expenses.” However, this doesn’t mean that your employees are being compensated for the time they spent on a recovery incident. Rubrik will only pay the expenses if they have receipts for the expenses. This is a small red signal.