Breach Protection Warranty For MDR Complete

Sophos provides this limited warranty (“Warranty”), on the terms and conditions outlined herein, for Customers that have a current, fully paid-up subscription for MDR Complete (“Subscription”) and have a currently supported version of the Product (as defined below) correctly installed and fully operational on their endpoint(s). Customer hereby agrees to have read, to have understood, and to be bound by this Warranty.

This Warranty is part of the Service Description for Sophos Managed Detection and Response offering (“MDR Service Description”) and is subject to the Agreement (as defined in the MDR Service Description). In the case of a conflict between these documents in respect of the Warranty, then the terms of this Warranty shall prevail to the extent of such conflict.

Capitalized terms not defined in this Warranty shall have the meaning given to them in the MDR Service Description or the Agreement, as applicable, but for the purposes of this Warranty, the following definitions shall apply:

“Breach Incident” means a confirmed ransomware attack from external sources through malware or a virus that denies, by encryption, Customer’s access to a material portion of its confidential information, files and data located on one or more of its Managed Endpoints and demands a ransom payment for its release or return.  For clarification, where individual impacts on multiple endpoints are related to the same underlying malware, virus, threat actor, threat campaign, or series of threat campaigns,  the multiple impacts shall be considered one Breach Incident and will be limited to one claim under the Warranty.

“Healthy Environment” means Customer’s endpoint environment using a current supported operating system that is free of known malware and/or viruses at the time immediately prior to the Breach Incident, and such environment has an overall health score of 100 as indicated by the Account Health Check in Sophos Central. Notwithstanding the foregoing, a Managed Endpoint shall not cease to be a Healthy Environment if Sophos has instructed Customer in writing to disable a feature or otherwise change a setting in Sophos Central and such guidance is current (i.e. has not been revoked) at the time of the Breach Incident.

"Product” means, as applicable, (i) Sophos Intercept X Advanced with XDR and MDR, and/or (ii) Sophos Intercept X Advanced for Server with XDR and MDR  and, in each case, with all three components fully installed.

“Warranty Term” means the time period in which Customer (i) has a current, fully paid-up Subscription and (ii) runs a currently supported version of the Product correctly installed, configured and enabled to the recommended settings on all of the Managed Endpoints in compliance with the MDR Service Description, the relevant Documentation and the terms and conditions of this Warranty.  

“Year” means a year beginning on the start date of the Customer’s Subscription (or renewal in the case of an Existing Customer), or anniversary of such date, as applicable.

A: WARRANTY

Sophos warrants that if, during the Warranty Term, the Customer suffers a Breach Incident on a Healthy Environment that results in the irretrievable loss of Customer‘s data, Sophos will pay an amount up to the limits specified in this Warranty in respect of that Breach Incident. All claims are subject to the terms, conditions, limitations, disclaimers and exclusions of this Warranty. 

B: WARRANTY CONDITIONS, DISCLAIMERS & EXCLUSIONS

1. GENERAL

1.1 The Warranty is only available for a Customer in respect of its Managed Endpoints. The Warranty does not apply to Managed Service Providers (MSPs) (or customers of MSPs) and is non-transferrable.

1.2 The Warranty is only available to a current subscriber of MDR Complete where the Customer has purchased a Subscription. For the avoidance of doubt, a Customer that was migrated from its existing Managed Threat Response subscription to MDR Complete (“Existing Customer”) will not be entitled to the Warranty until such Customer renews its Subscription unless B1.3 applies.

1.3 If, prior to the scheduled renewal date, an Existing Customer (a) increases the Use Level of its Subscription license for MDR Complete by 20% or more of the number of Users or Servers (each as defined in the Licensing Guidelines) comprising its current Subscription, or (b) purchases a: (i) chargeable MDR integration add-on; (ii) Central Data Storage – 1 yr Pack; or (iii) Central Network Detection and Response virtual appliance, for its existing Subscription, then the Warranty will apply to their entire augmented Subscription. 

1.4 The Warranty is provided AS IS and may be modified at any time at the sole discretion of Sophos, and only the then current version of the Warranty as published at www.sophos.com/legal/MDR-Complete-Warranty shall apply.

1.5 This Warranty is not intended to and shall not be construed to give any third party any interest or rights (including, without limitation, any third party beneficiary rights) with respect to or in connection with any agreement or provision contained herein or contemplated hereby. Only the Customer has the right to enforce this Warranty.

1.6 THIS WARRANTY MAY BE CANCELLED, SUSPENDED OR REVISED BY SOPHOS BY REASONABLE WRITTEN NOTICE AT ANY TIME AND AT SOPHOS’ SOLE DISCRETION. SUCH NOTICE MAY INCLUDE A POSTING TO SOPHOS.COM OR A BANNER ON THE CENTRAL CONSOLE.

1.7  THIS WARRANTY DOES NOT, AND SHALL NOT BE DEEMED TO PROVIDE A CONTRACT OF INSURANCE UNDER ANY LAWS OR REGULATIONS AND SHALL BE NULL AND VOID IN ANY COUNTRY OR JURISDICTION IN WHICH IT IS DEEMED TO BE A CONTRACT OF INSURANCE OR AN OFFERING OF INSURANCE.

2. REQUIREMENTS & CONDITIONS

The benefits of this Warranty will only be available to an MDR Complete Customer that meets all of the conditions of this Section B.2.

2.1  Customer has the Product correctly installed, configured and enabled on its Managed Endpoints in compliance with the MDR Service Description, relevant Documentation and these terms and conditions.

2.2  Customer has a fully paid-up Subscription for a minimum subscription of 12 months, and that Subscription has not lapsed and/or payment is not pending or subject to any grace/hold period.

2.3  At the time of the Breach Incident the affected Managed Endpoints must:

1. have been running the currently supported release of the Product, including all updates, patches and bug fixes;
2. have a Healthy Environment;
3. be using a current supported operating system on each of its Managed Endpoints from either:
   • (i) Microsoft Windows https://learn.microsoft.com/en-us/windows/release-health/supported-versions-windows-client and https://learn.microsoft.com/en-us/windows/release-health/windows-server-release-info, and the Product continues to support the operating system; or
   • (ii) Apple, in which case either the current macOS release or a prior release is used, and for so long as Apple continues to support and provide updates for it, and the Product continues to support the operating system;
   • An operating system that is under a period of extended support shall not be considered current, and a claim will not be honored under the Warranty; and
4. not be in breach/default of any terms of the Agreement (as defined in the MDR Services Description) or of the MDR Services Description.

2.4  Throughout the Warranty Period, Customer must :

1. not turn off or disable any functionality for the Products that permits the Managed Endpoints to be scanned for malware and viruses;
2. allow Sophos to conduct an “on demand” scan of the Managed Endpoint at Sophos’ discretion to determine the health of the Managed Endpoints;
3. routinely backed up its data in accordance with industry best practice; and
4. provided sufficient training to those accessing its data on basic precautionary steps to be taken to avoid phishing or the inadvertent installation of malware and viruses.

2.5  Any Customer remote management of its endpoints and servers must be securely managed and protected using industry best practices, employing at a minimum: multi-factor authentication (which must be enabled and enforced), and enforcing complex passwords containing alphanumeric and special characters and automatic time-outs.    

2.6 Customers that are in a regulated industry (e.g., banking, energy, healthcare) must comply with all laws and regulations applicable to its industry.     

2.7 Customer reasonably cooperates with Sophos in the investigation of the Breach Incident and any Warranty claim.

3. DISCLAIMERS/LIMITATIONS

A claim made under this Warranty will be denied by Sophos if any of the following apply:

3.1 A Breach Incident occurs after Sophos reports to, or otherwise notifies, Customer in relation to: (a) an Incident, Detection, Case or Response Action, or (b) (i) a non-Healthy Environment, (ii) gaps in Customer’s system or significant misconfigurations of the Products that could degrade real-time protection, (iii) investigation or the inability of Customer to follow up to take Response Actions, or (iv) matters that are likely to lead to a potential Breach Incident, but Customer fails to remediate any identified issues promptly, as reasonably determined by Sophos, and in accordance with good security practice commensurate with the level of security threat.

3.2 Customer fails to notify Sophos of a Breach Incident by opening an MDR case/ticket via email to  mdr-ops@sophos.com  and / or by calling the relevant number listed at   https://docs.sophos.com/support/help/en-us/active-threat/mtr/open/index.html as soon as reasonably practicable, and in any event, within 24 hours of becoming aware of a potential breach occurring.

3.3 Customer fails to state their intent to claim under this Warranty, within 5 days of a Breach Incident, by providing a written request to Sophos at breachclaims@sophos.com to commence the approval process for the claim in conformance with Section D (Filing a Claim) of this Warranty.

3.4 Customer does not complete the form at www.sophos.com/claim within 15 days from the occurrence of a Breach Incident.  

3.4 A review of the Account Health Check in Sophos Central shows that the Customer’s Managed Endpoint was not a Healthy Environment at the time of the Breach Incident.

3.5 The Incident Response determined that the Breach Incident occurred because of the following:

1. Customer failed to install bug fixes, patches and/or updates relating to any security vulnerability issued by a vendor/developer from time-to-time for any application and/or operating system running on the Managed Endpoints within the timeframe for the Common Vulnerability Scoring System (CVSS) outlined below, each such timeframe beginning from the date the fix is made available:
   • Critical (score 8.5+) within 7 days;
     High (score 7-8.5) within 30 days; and
     Medium and lower (score < 7.0) within 90 days.
     
     If a reboot of the system or application was required in connection with any of the above, the application/system will not be considered to have fulfilled this requirement unless and until completion of the applicable reboot.
2. an introduction of an active threat through an unprotected endpoint within the Customer network (i.e., the Breach Incident did not originate from a Managed Endpoint but was introduced from another end  point on the Customer network).
3. the Breach Incident occurred before the Warranty Term.
4. the Customer failed to identify or remediate issues where the Product was improperly installed on a Managed Endpoint or was not performing in accordance with the Documentation. (It is the Customer’s responsibility to identify and remediate issues arising during installation.)

3.6 The Customer fails to provide sufficient evidence of its compliance with its obligations and requirements set forth under this Warranty.

3.7  Customer is requesting that a ransomware payment or reimbursement under the Warranty be paid to any person or entity that: (i) would be a violation of the local laws of the country where the Breach Incident occurred; or (ii) resides in or is subject to economic sanctions administered or enforced by the U.S. Treasury Department Office of Foreign Assets Control (OFAC), including (a) any persons or entities listed on OFAC’s Specially Designated Nationals and Blocked Persons (SDN) list, (b) persons or entities otherwise prohibited under relevant U.S. law, or (c) persons or entities prohibited by laws of other countries. Customer must provide to Sophos evidence, to Sophos’ reasonable satisfaction, that any ransomware payment to be provided by Sophos shall not violate the above.

4. EXCLUSIONS

The following types of claims are expressly excluded from the Warranty and a payment reimbursement will not be made:

4.1 Any claims related to a Breach Incident occurring within a virtual desktop infrastructure (e.g. Citrix, VMware, and other virtual desktop infrastructure environments). For avoidance of doubt, this relates to both the device and operating system running the VDI management system/hypervisor and the virtualized operating system(s) running within each virtual instance.

4.2  A claim made by  a Customer where either (i) the data is not irretrievable (i.e., Customer can get  access to  back-up data and is capable of restoring the majority of the deleted or encrypted data with the back-up); or (ii) where the data was not on the Managed Endpoints affected by the Breach Incident.

4.3  A claim for a Breach Incident caused by a third party product and/or service which directly or indirectly causes the malfunction or nonperformance of the Product or the Subscription.

4.4 A claim resulting from a systemic failure of software impacting customers on a significant, large scale basis.

4.5 A claim resulting from a systemic failure affecting the Sophos infrastructure.

4.6 A claim related to any Breach Incident that arises out of or is caused by, directly or indirectly, acts of God, including but not limited to earthquakes, hurricanes, tsunamis, natural disasters, wildfires, solar flares, solar winds, etc., acts of war or terrorism, or reasonably believed to be related to state sponsored cyberattacks, civil or military disturbances, nuclear, and interruptions, loss or malfunctions of utilities, communications, or the systemic failures of the same.

4.7 A claim related to a Breach Incident arising directly or indirectly from the intentional or willful misconduct, collusion, or the negligence of the Customer, its Affiliates, or its or their directors, officers, agents, employees, non-employee workers, agents, representatives, contractors or consultants (“Customer Representatives”).

4.8 A claim related to a Breach Incident arising as a result of an infection, compromise, malware, virus or other unauthorized access of asset(s) or credentials that attempts to circumvent controls in an effort to compromise an endpoint that was introduced to Customer’s internal systems (which could be an unprotected endpoint within the Customer network or a Managed Endpoint) by a Customer Representative, whether intentionally or unintentionally (e.g. malware or virus testing).

4.9 A claim filed by the Customer is not in good faith or is considered non-meritorious or frivolous, as reasonably determined by Sophos.

C: LIMITS OF REIMBURSEMENT PAYMENT

1. To initiate a claim under the Warranty, Customer must have anticipated demonstrable out of pocket expenses of at least $5,000 (US) spent in direct response to a Breach Incident.
2. Sophos will not be liable to pay more than $1,000 (US) for the lesser of: (i) each fully paid up license acquired by Customer, or (ii) each breached Managed Endpoint. For the avoidance of doubt, if Customer has purchased 25 licenses for use, the maximum reimbursable claim is limited to $25,000 (provided that the conditions in Section B.2 are met).
3. Subject to the limitations set forth in Sections C.1 and C.2 above, Sophos will reimburse Customer for pre-approved actual, documented out of pocket Expenses, not to exceed $1,000,000 (US) in any Year. Such aggregate limit shall apply regardless of the number of Subscriptions held by the Customer, the number of Managed Endpoints covered, or the number of Breach Incidents which could be reimbursable under this Warranty.
4. For the purposes of C.3 above “Expenses” shall constitute, and be limited to, any of the following costs that are incurred in order to remediate a Breach Incident: (i) reasonable legal fees; (ii) expenses relating to providing notices to affected individuals; (iii) reasonable costs and expenses for public relations; (iv) fines assessed by a regulatory agency; and (v) payment of a ransom to the party causing the Breach Incident to retrieve encrypted data (subject to Section C.5 below and Customer confirming compliance with Section B.2.6 above).  Expenses shall not include  any value added tax (or  similar taxes), any other federal, state, municipal, or other governmental taxes, duties, licenses, fees, excises, or tariffs incurred by Customer that are recoverable, creditable, or in any other way are not a cost to Customer under applicable laws by any reasonable means or endeavours of Customer.
5. A claim for a ransomware payment shall be limited to a maximum payment of $100,000 (US) in any one claim (and remains subject to any further limitation pursuant to the maximum amount payable per affected Managed Endpoint as specified in Section C.2 above).
6. If a Customer makes multiple purchases of the Product on different orders and/or dates, and/or has multiple Subscriptions, the customer is only entitled to receive reimbursement on 1 claim; not 1 claim per order/Subscription.
7. Sophos shall have no obligation to make any payments that are prohibited by applicable law.
8. The payment reimbursements provided by this Warranty is Customer’s sole and exclusive remedy for any claims arising from a Breach Incident. To the maximum extent permitted by applicable law, Sophos and its Affiliates disclaim all other warranties, whether express, implied or statutory or otherwise, including but not limited to, warranties of merchantability and fitness for a particular purpose and warranties against hidden or latent defects.  In no event will Sophos, its Affiliates or their respective suppliers be liable (under any theory of liability, whether in contract, statute, tort or otherwise) for any lost profits, lost business opportunities, business interruption, lost data, data restoration, or special, incidental, consequential, or punitive damages, even if such party has been advised of the possibility of such damages or losses or such damages or losses were reasonably foreseeable; and in no event shall Sophos’ liability under or arising from this Warranty exceed the limits set out above.
9. IN CASE ANY OF THE LIMITS SET OUT ABOVE ARE DETERMINED TO BE INVALID UNDER APPLICABLE LAW IN ANY COUNTRY OR JURISDICTION, THIS WARRANTY SHALL BE DEEMED NULL AND VOID.

D: FILING A CLAIM

1. A claim under the Warranty must first be approved in writing by Sophos, including the preapproval of qualified vendor(s) selected to remediate a Breach Incident and the costs to be paid for such services. Sophos reserves the right, at its sole discretion, to exclude the use of a competitor of Sophos.
2. Customer shall reasonably cooperate with Sophos in the investigation of the Breach Incident and Warranty claim.
3. Customer will, within five days of a Breach Incident, state their intent to claim under this Warranty by providing a written request to Sophos at breachclaims@sophos.com to commence the approval process for the claim.
4. Within 15 days from the Breach Incident, Customer must submit full claim details via www.sophos.com/claim. All invoices for costs incurred by Customer must be submitted to Sophos within 2 months of the Breach Incident.

E:  GOVERNING LAW & DISPUTES       

All disputes arising from or in connection with this Warranty shall be governed by the laws of England and Wales.

Any dispute arising out of or in connection with this Warranty, including any question regarding its existence, validity or termination, shall be referred to and finally resolved by arbitration under the London Court of International Arbitration (LCIA) Rules, which Rules are deemed to be incorporated by reference into this clause.

The seat, or legal place, of arbitration shall be London, England. The language to be used in the arbitral proceedings shall be English.