A problem for investors is that companies don’t have proper incentives for preventing attacks. Herb Lin, cyber policy and security scholar at Stanford University’s Hoover Institution, said companies spend too much energy avoiding responsibility for attacks, rather than preventing them. As a result, manufacturers don’t take responsibility for fully protecting themselves from security breaches, he said.
Kaseya’s end-user agreement largely absolves it of breaches that compromise customers’ data unless there was gross negligence or misconduct.
A Kaseya spokeswoman said in an email that their agreement’s language is “standard for our industry.”
According to Lin, widespread use of such agreements is precisely the problem.
“Companies go out of their way to say we’re not liable for any consequences of this type of attack,” he said, pointing to user agreements pre-emptively absolving themselves of responsibility, and seemingly catastrophic events without lasting harm to companies’ stock prices.
Read the rest at Barron's