>>Protecting your intellectual property and protecting your systems from ransomware are two separate things, not to be confused with each other. I won't give a hoot about protecting our source code. That is not on which we make our money. Ransomware is a total different matter though.

Just an observation that (for example) the license to use the Australian Modified ICD-10 and Refined Diagnosis Related Groups makes the licensee responsible for any exposure of that IP outside 20 or so licensed countries. If somebody can hack your app or peel the information out for use in an unlicensed jurisdiction, you're financially liable for the cost of a national license. These sorts of arrangements seem to be accelerating in the last few years.

There's also per transaction pricing models; if a hacker can scoop license keys or other credentials and rack up huge transaction costs until somebody notices, the scam victim will of course refuse to pay, instead blaming the vendor for not securing license keys adequately to protect its customers.

Current topic though is customer protection. If it's relatively easy to unpick your app to harvest database credentials, SQL queries, calls to SP etc etc that can be used to harvest sensitive data, you can expect a black eye the first time a big-5 firm sells a security audit to one of your customers.

The irony is that (as you'll know) privacy of data held by large institutions is often down to obscurity and good fortune not rigorous process. I continue to hear of inadvertent releases caused by sloppy process involving stolen notebooks and unencrypted copies, or PHI sent by open email. Nevertheless the good old "rules for thee, not for me" will come crashing down when the expensive consultant finds a potential insecurity that can be blamed on somebody else.

Not sure why we're even discussing this; you're a smart dude who must have GDPR and HIPAA documentation that can only be enhanced by hacker-proofing.