I have been watching news on the cyber attack against the IT service provider, Cognizant over the past few weeks with rapt fascination. Bllomberg reported on Apr 18th that Cognizant had been hit with the Maze ransomware and were engaging law enforcement and incident response personnel. (See Here) More recently, ZDNet reported that Cognizant expected its losses to be between 50 and 70 million dollars because of this breach. (See Here) Cognizant was forced to admit the breach after some customers complained about an “internal issue” in mid-April. Cognizant has stated that there has been no damage to any of its customers and so far that has held true but confidence in the company has been shaken. The long-lasting impact to the company will take more time to measure as some customers bolt for other service providers. This story has to be a cautionary tale for all service providers. Every service provider is also a security provider even if it is not listed in their name. Companies are coming to you to ease their minds and to protect their networks. When these attacks happen, every service provider should be taking a close look at their own networks and evaluating their security. What is somewhat concerning is that Cognizant may have tried to hide the fact that they had been infiltrated. Their initial contact with customers asked the customers to block a specific range of IP addresses which were associated with the Maze ransomware group. What is not clear is if this initial contact was simply an attempt to warn customers and a more comprehensive announcement would have followed or if the company intended not to tell anyone about the attack. Statistics show that most companies do not notify customers about most attacks – numbers as low as 15% have been reported in the past. This is why the SEC has started to get more involved in cyber attack reporting. More and more companies are listing ransomware as a “risk factor” for their futures (See Here) and the SEC is starting to indicate that it will fine companies that do not adequately report these attacks. The writing is on the wall: If you are an IT service company, you must secure the data and have a mitigation plan in place. You should also be considering how you would notify your customers should a breach occur. The days of trying to hide these attacks have to be behind us.