Cybersecurity Governance: Who Decides to Pay the Ransom When Your Vendor Is Breached?
On 11 May 2026, Instructure announced it had settled with ShinyHunters, the extortion group responsible for the Canvas learning management system breach. The company stated it had received digital confirmation of data destruction and that the agreement covered "all impacted Instructure customers." The amount paid was not disclosed. The following day, a US House Homeland Security Committee investigation letter was reportedly sent to Instructure CEO Steve Daly, according to reporting by arnav.au.
Here is what those two events meant for 8,809 institutions worldwide, including three New Zealand universities: none of them were at the table when the ransom decision was made.
That is the governance question this article addresses. Not whether paying was right or wrong. Not whether ShinyHunters' confirmation of data destruction means anything. The question is structural: when your institution's learning management system is operated by a third-party vendor, and that vendor settles an extortion demand that covers your data, your students, and your legal obligations, who decided? This Sunday the answer was Instructure. Last year it was reportedly PowerSchool. Next year it will be someone else.
Boards need to understand why their current crisis governance frameworks do not cover this scenario, and what must change before the next vendor-side breach arrives.
The Governance Question
Two years of cyber crisis governance development in New Zealand and internationally has produced something genuinely valuable. Boards have invested in protocols. Hour-Zero frameworks define who speaks, who decides, and who carries accountability during the first 24 hours of a breach. The Resilience Manifesto commitments I outlined in Part 10 (Commitment Two: Architectural Debt assessment; Commitment Five: Audit of Intent) ask boards to periodically examine their third-party dependencies and verify that vendor intent on data handling translates into verifiable governance behaviour.
What neither framework anticipated is the scenario that landed on 11 May 2026: a vendor making a ransom decision on behalf of its entire customer base, without consultation, before the customer's board protocols could be activated.
The Once-Only Resilience framework, which I have developed through this series since Part 4, holds that some resilience commitments cannot be retrofitted after an incident. You cannot install a sprinkler system while the building is on fire. The same logic applies to decision rights. The decision whether to engage with an extortion demand is, by definition, a once-only decision. You make it once. You cannot un-make it. And when Instructure settled with ShinyHunters, every one of its 8,809 customer institutions had that decision made for them, permanently, without input.
I call this the Once-Only Decision principle. It is an extension of the Once-Only Resilience framework, and it surfaces a precondition the Hour-Zero Protocol did not make explicit: the question of whose protocol applies when the breach is at the vendor layer, not the institutional layer.
This is not a criticism of Instructure's decision. The structural dilemma vendors face is real: prolonged downtime generates losses that are genuinely unsustainable for a business serving 8,809 customers simultaneously. That pressure pulls decision-makers toward payment. Christy Wyatt of Absolute Security captured the trade-off accurately in public commentary on this incident: the calculus of vendor payment differs from the calculus of institutional payment, because the vendor is absorbing service-delivery risk across its entire customer base at once.
The structural problem is not that Instructure decided. The structural problem is that its customers had no contractual mechanism to participate in that decision. The trade-off was resolved at the vendor layer. The customer layer was informed.
There is a precedent that should concern boards further. In 2025, PowerSchool reportedly paid a ransom under analogous circumstances, after which extortion attempts from other actors who had obtained separate copies of the same data still occurred. A single threat actor's written confirmation of data destruction does not prevent secondary actors from leveraging copies of that data obtained before the agreement. Halcyon's analysis of the ShinyHunters "pay or leak" model specifically notes that payment carries no guarantee of permanent data suppression. The vendor has settled on your behalf. That settlement does not extinguish the underlying data exposure risk; it settles one actor's claim while leaving the data itself potentially accessible to others.
This is the consequence qualification that boards must apply to vendor settlement announcements: "digital confirmation of data destruction" means one actor has provided a written claim. It does not mean independent verification. It does not mean other copies do not exist. And it does not mean your institution's legal obligations have been discharged. The Audit of Intent principle requires that stated intent on data handling be treated as the beginning of verification, not the end of it.
The board takeaway is not that the vendor was wrong. It is that the contractual layer between boards and their SaaS vendors does not currently define who holds the decision right when a vendor faces extortion that covers customer data. That is a governance architecture gap, and it is one that no amount of internal crisis protocol can close after the fact.
The Architecture Underneath
The Canvas breach is also architecturally instructive in a way that extends beyond the ransom question.
Per reporting from The Hacker News and synthesised security analysis, the initial attack on 29 April 2026 exploited a cross-site scripting vulnerability in Canvas's Free-For-Teacher tier, a lower-permissioned service offering. What makes the 7 May second breach significant is that it used the same exploit path. Remediation had been incomplete. The second wave was not a new attack. It was a failed patch applied to the same vulnerability, allowing the same attacker to re-enter via the same door.
From an Architectural Debt perspective, this is the tier-boundary problem made operational. Commitment Two of the Resilience Manifesto asks boards to assess whether third-party dependencies have been re-evaluated against their organisation's risk appetite. The specific question for SaaS architecture is whether a compromise of a lower-permissioned tier can cascade to administrative access in higher tiers. In the Canvas case, the tier boundary was permeable. The Free-For-Teacher service carried sufficient privilege to enable an attack path that eventually reached institutional data.
Most board-level supply-chain governance frameworks ask "which vendors do we use?" and "what data do they hold?" The Canvas incident surfaces a third question: "what is our vendor's tier architecture, and what is the maximum privilege level accessible via a compromise of their lowest-permissioned service?" This question does not appear in most vendor risk assessments I have reviewed. It needs to.
The second architectural observation concerns remediation verification. When Instructure reported that the vulnerability had been patched after the first breach, that report was false: the 7 May second breach demonstrated the patch was incomplete. This is Commitment Five of the Resilience Manifesto, the Audit of Intent, applied at the remediation layer: a vendor's stated intent on security remediation is not equivalent to verified remediation behaviour.
The board governance implication is straightforward. Vendor-reported remediation completeness cannot be treated as independently verified unless your organisation has a contractual mechanism to require independent evidence of closure. In most current vendor contracts, no such mechanism exists. The vendor patches; the vendor reports; the customer accepts. The Canvas incident shows what happens when that acceptance is misplaced.
The NZ Position
Three New Zealand universities were confirmed as affected by the Canvas breach: the University of Auckland, Auckland University of Technology, and Victoria University of Wellington, per NZ Herald reporting on 6 May 2026 and subsequent spokesperson statements. The University of Auckland took Canvas offline on 8 May, postponed digital assessments, and redirected students to alternative platforms including Talis, Panopto, and Inspera. These are not abstract data points. These are institutions with active legal obligations that the Instructure settlement does not discharge.
Under the Privacy Act 2020, affected New Zealand agencies retain independent breach notification obligations regardless of what a vendor has agreed with a threat actor. The Instructure settlement covers Instructure's exposure to the threat actors. It does not cover the Crown entity's obligations to the Privacy Commissioner. If the breach involved personal information held about students or staff, each affected institution must assess its notification obligations independently.
IPP 3A, which came into force on 1 May 2026, adds indirect-collection notification requirements that may apply depending on how data flows between Instructure and the affected institutions. Where an institution collected personal information through Canvas, and that information includes data about third parties (students, staff, family members), the IPP 3A indirect-collection obligations may require notification to those individuals regardless of Instructure's agreement. The legal position is that the vendor's settlement is the vendor's settlement: institutions carry their statutory obligations regardless of what a third party negotiated on their behalf.
The notification obligations under the Privacy Act 2020 are assessed by the institution, not the vendor. Affected institutions should make that assessment independently and not rely on Instructure's communication to their own staff and students as satisfying the statute. The institutional obligation to notify is separate from any communication Instructure chooses to make. This is the statutory independence that follows from the Vendor-Decides structural reality: the vendor decides about the extortion; the institution decides about compliance.
NCSC NZ's standing advice is that individuals approached for payment in relation to the breach should not engage. That advice is consistent with Five Country Council joint guidance on extortion response. The Instructure agreement removed the institutional decision point before the advice could be operationalised at the institutional level. The advice itself remains sound: the structural point is that the decision window at the institutional layer was closed by the vendor before it opened.
The three affected universities are Crown entities with governance frameworks that include independent obligations under the Privacy Act 2020. Those obligations persist. The Instructure settlement does not satisfy them.
What This Changes for Boards
Every board that uses a SaaS provider for any system holding personal information should ask one question before its next governance meeting: does our vendor contract define what decision rights our organisation retains if the vendor itself is breached and faces an extortion demand?
In most cases today, the answer is no. Most vendor contracts address the vendor's obligations to notify the customer, to restore service, and to compensate for losses. They do not address who holds the decision right on extortion engagement. That omission has become demonstrably consequential. Contractual definition of crisis decision authority must exist before the breach, not be negotiated during it. You cannot retrofit decision rights into a vendor relationship once the vendor has already decided.
Four questions boards should put to their SaaS vendors:
First: if your organisation faces an extortion demand covering our data, what is your decision protocol, and does it include a defined consultation mechanism with us before any settlement is reached?
Second: what is the tier architecture of your service, and what is the maximum privilege level accessible via a compromise of your lowest-permissioned tier? Can a Free-For-Teacher equivalent reach our institutional data?
Third: how is remediation completeness verified after a patch is applied? What independent evidence of closure is provided to customers, and under what timeline?
Fourth: does a settlement your organisation reaches with a threat actor discharge our independent obligations under the Privacy Act 2020 and other applicable data protection legislation? (The answer is no, but the vendor should confirm this understanding explicitly in writing.)
None of these questions is hypothetical. All four are grounded in confirmed events from the week of 11 to 17 May 2026.
A fifth question is worth adding, though it sits at the governance level rather than the contract level: does your board have a protocol for the scenario where a vendor settles an extortion demand before your Hour-Zero Protocol can activate? The Canvas incident is not a breach of your organisation's perimeter. It is a breach of your vendor's perimeter, resolved by your vendor, with consequences that land on your institution. Your existing crisis protocol assumes you are the principal actor. This week demonstrated you may not be.
The practical implication is a two-layer governance requirement. Layer one is internal: review your Hour-Zero Protocol to include a vendor-side breach scenario where the vendor acts before your institution is consulted. Layer two is contractual: before renewing or signing any SaaS agreement for systems holding personal information, require explicit contractual language on decision rights in the event of extortion. If your vendor will not agree to a consultation requirement before any extortion settlement, that is itself governance information.
This is not about assigning blame to Instructure. The vendor faced an impossible situation: 8,809 simultaneous customers, a threat actor with their data, and a business that could not afford prolonged downtime across its entire customer base. The structural problem is that no contractual mechanism existed to give those 8,809 institutions any role in the decision. That gap is the governance finding. Closing it is the board's responsibility.
The Once-Only Decision principle requires that contractual definition of crisis decision authority must exist before the breach. That is the precise extension of the Once-Only Resilience framework the Canvas incident surfaces. 8,809 institutions did not have this layer. When the decision arrived, it was already made.
Two forward signals for boards tracking this space:
The intersection between vendor-ransom-decision governance and cyber insurance underwriting is significant and developing. If insurers begin pricing vendor-side decision rights into institutional cyber insurance premiums, the contractual layer this article calls for will become economically inevitable rather than merely governance-sound. I will be examining this intersection in the EA Thursday series, where the insurance-driven architecture mandate thesis is developing a directly relevant argument.
And this pattern is not confined to cybersecurity. This week, in parallel across the AI verification domain, vendor capability claims are being subjected to independent assessment in ways that parallel the vendor-remediation-verification question the Canvas breach surfaces. The principle that a vendor's assertion about its own systems is not the same as an independently verified fact is structural, not incident-specific. I will be tracking this cross-domain pattern in the Gen AI Tuesday series.
What Has Changed
Board crisis governance protocols are written on the assumption that your institution will be the decision-maker when a breach affects your data. That assumption now needs a second clause: "unless the breach is at the vendor layer, in which case the vendor may decide before you are consulted."
Instructure's settlement this week did not change the legal obligations of the 8,809 institutions it covers. It did not discharge their Privacy Act duties. It did not close the underlying data exposure risk. What it did is clarify, for any board that was still uncertain, that vendor crisis governance is a contractual problem, not just a technical one.
When was the last time your board reviewed the decision rights embedded in your SaaS vendor contracts? If you cannot answer that question, you have not yet closed the governance gap the Canvas breach has opened.
The views expressed in this article are entirely my own, informed by more than 30 years of professional experience in architecture, security, and technology leadership in New Zealand. They do not represent the views of my employer, any government agency, or the New Zealand government. My commentary on legislation and policy is analytical, drawing on publicly available sources and my professional expertise in architecture, security, and AI governance. I follow the Public Service Commissioner's Code of Conduct for the Public Sector and social media guidance.
Andreas Hamberger is a Wellington-based enterprise architect, security practitioner, and technology strategist with more than 30 years of experience across New Zealand's public and private sectors. He holds TOGAF, IAPP, and AMInstD credentials and is founder of Te Pono Limited. He is an Associate Member of the Institute of Directors New Zealand. The Hamberger Report: Cyber Guide for New Zealand Boards is the definitive board-level cybersecurity governance guide.
I use AI tools, including Sudowrite, Claude, Perplexity AI, DeepSeek AI, ChatGPT, Grok, Copilot, Openart and Gemini, as deliberate production tools, not ghostwriters. This is consistent with my position: AI amplifies human judgement; it does not replace it. The frameworks, arguments, and editorial decisions in this series are original work. AI accelerated the process. The thinking is mine.
[1] Instructure. "Update regarding Canvas data security incident." 11 May 2026. URL to be confirmed at publication.
[2] Inside Higher Ed. "Canvas Data Breach: Instructure Reaches Agreement with ShinyHunters." May 2026. URL to be confirmed at publication.
[3] The Hacker News. "Canvas LMS Breach: XSS Exploit, Two-Wave Attack, and Governance Implications." May 2026. URL to be confirmed at publication.
[4] Malwarebytes. "Instructure Canvas breach: what happened and what it means." May 2026. URL to be confirmed at publication.
[5] Wikipedia contributors. "2026 Canvas security incident." Wikipedia, updated May 2026. URL to be confirmed at publication.
[6] New Zealand Herald. "University of Auckland, AUT and Victoria University of Wellington among those affected by Canvas data breach." 6 May 2026. URL to be confirmed at publication.
[7] Arnav.au. "Instructure Canvas breach synthesis and Congressional investigation reporting." May 2026. URL to be confirmed at publication.
[8] NCSC New Zealand. "Ransomware and extortion: standing guidance." NCSC NZ, current. ncsc.govt.nz.
[9] New Zealand Office of the Privacy Commissioner. "Privacy Act 2020: notifiable privacy breach obligations." OPC, current. privacy.org.nz.
[10] New Zealand Office of the Privacy Commissioner. "Information Privacy Principle 3A." OPC, effective 1 May 2026. privacy.org.nz.
[11] Halcyon Research. "ShinyHunters extortion model: payment guarantees and residual data risk." May 2026. URL to be confirmed at publication.
[12] Cyber Magazine. "Instructure Canvas breach coverage and analysis." May 2026. URL to be confirmed at publication.
