So, Kaseya. Updating on yesterday, the company strongly denied paying to get access to the universal descriptor.
“While each company must make its own decision on whether to pay the ransom, Kaseya decided after consultation with experts to not negotiate with the criminals who perpetrated this attack and we have not wavered from that commitment,” from a statementreleased Monday. “As such, we are confirming in no uncertain terms that Kaseya did not pay a ransom – either directly or indirectly through a third party – to obtain the decryptor.”
CNN additionally confirmed that Kaseya required a non-disclosure agreement to gain access to the decryptor, and Kaseya told ZDNet they were unable to comment on the agreement. Cybersecurity experts noted that asking for an NDA was not an everyday practice, and also that it could be to ensure the third party who provided the key is not disclosed, nor the manner in which the decryption is made available.
Why do we care?
It’s the NDA that has been causing a lot of agitation in the IT provider community. Let’s discuss.
It’s easy to pushback on this with a cynic’s eye. Sure, they don’t want customers talking about this. That said, protecting methods and sources is important.
Here’s the two part takeaway. First, I hope providers are learning lessons about what to ask about disclosure and security policy BEFORE the inevitable breach. This is stuff you need establish BEFORE you need it, not after.
Second, NDAs are negotiable. Like any contracts, they can be negotiated. Define what information is to be protected. You don’t HAVE to sign one. If it smells like extortion, it might be extortion, and you have other options. After all, you are the customer. IT providers too often forget that.