Ransomware Insurance: What To Look For
When it comes to cyber risk insurance, broad coverage for ransomware is more important than ever. Organizations need to be careful however, not to develop a false sense of security over the simple placement of cyber insurance. Not all ransomware coverage is created equal – terms differ significantly from one insurer to another. At their most basic, policies should provide coverage for: 1) extortion demands/payments and reasonable associated fees, 2) resulting lost income, 3) asset restoration and potentially 4) reward reimbursement. A closer look should also be given to the definitions, terms and conditions as outlined below.
DEDUCTIBLES & SUB-LIMITS: Most policies sub-limit coverage for cyber extortion. With the surge of recent ransomware attacks over the past few years those sub-limits are getting lower and lower, which is why it’s more important than ever, to review policy limits carefully. The ransoms themselves are only one small part of the financial damage inflicted. For most organizations, the lost income resulting from downtime and reputational damage is a far greater concern and often more costly. Forensic investigations, network and asset restoration costs, and costs to improve network security further compound the damage of these attacks. All of these damages should be taken into account when performing a limit review. It’s also important to remember that, making a ransom payment may result in the payor being placed on a “white list” thus creating a soft target for follow up ransom demands. Due to this potential, organizations should keep in mind the possibility of sustaining follow up attacks.
DEFINITION OF EXTORTION THREATS: Basic policy forms that limit “extortion threats” to threats to “sell or disclose PII” should be avoided entirely. With hackers shifting their focus from more traditional protected data, to targeting corporate IP and computer/control systems, it’s critical that policies contain broad definitions of extortion, including threats to:
- Access, sell, disclose or misuse info: At the bare minimum, this info should include PII, PHI and CCI. However, broader policies will define this more simply as “data stored on your network” and include “digital assets” (which include your business information). This is an important consideration for companies with IP, etc. The “acts” should also be considered. Some policies require a threat to sell or disclose the data, whereas broader definitions will more simply define the trigger as threats to merely “access” such information.
- Alter, damage or destroy data, software, hardware or programs
- Impair or Restrict access (DDOS attacks): This should include interference with your software and systems/network, or “threats to disrupt business operations”.
- Pharm or phish your clients: These attacks involve impersonating the insured in order to gather protected information from its clients, or induce fraudulent wire transfers.
- Use your network to transmit malicious code to 3rd parties
- Deface or interfere with your company’s website: For companies such as online retailers, tech providers, and professional/financial service firms, extended website downtime can inflict severe lost income and/or 3rd party damages.
- Acts that are a continuation of previously reported incidents
Lastly, with ransomware gangs increasingly seeking assistance from inside actors, it’s critical that acts of rogue employees are covered in connection with the above threats.
DEFINITION OF COMPUTER SYSTEMS: Ransomware can affect a wide range of targets from data, to computer networks, to security cameras and control systems. Which is why the policy definition of “computers systems” should be as broad as possible, including the following systems owned, leased, or operated by the insured: hardware, software, firmware, virtual systems, operating systems, virtual machines, wireless devices, backups (including offline backups), ICS & SCADA systems, telephone systems, networking equipment, associated devices, media, and IOT devices.
With most organizations relying on 3rd party providers for data storage and software solutions, it’s important to consider how a ransom demand affecting a cloud provider might implicate coverage. In order to ensure the carrier will respond, insureds should carefully review the definition of “external computer systems” to ensure the definition includes those systems mentioned above, owned, leased or operated by 3rd party business providers as well.
DEFINITION OF EXTORTION EXPENSES: The costs associated with extortion demands extend beyond just the demand itself. To ensure these costs are covered by the insurer, policyholders should review their policies to ensure the definitions of such expenses extend to cover:
- Monies or property surrendered to a 3rd party: This should clearly include digital/crypto currencies (not just bitcoin). If employees are explicitly excluded from those 3rd parties eligible to receive payment – rogue employees should be carved back.
- Investigation costs and costs related to hiring cyber response/computer experts
- Losses incurred while attempting to make extortion payments
- Data/Asset Restoration expenses (as outlined below)
It’s also important to remember that many policies require pre-approval prior to making any extortion payments. Accordingly, policyholders that find themselves victims of ransomware should be extremely careful in making any payments before consulting their brokers and respective insurers.
DEFINITION OF DATA RESTORATION: Most cyber insurance policies provide coverage for costs related to the recovery, replacement or restoration of data. However some policies specify the data must be “damaged” or “destroyed”. If a ransomware gang steals an organizations’ data and refuses to release the files, it could be argued the data was stolen and not actually damaged or destroyed. Policyholders should ensure their policies also explicitly include lost or stolen data as well. Additionally, broader cyber policies will also include coverage for:
- Costs incurred to recreate data in non electronic form (if there is no available electronic source available)
- Costs to hire a cyber response specialist to assist with data restoration
The definition of “data” should also be equally broad to include any software, program or electronic data. Some policies will limit covered data, only to that which is subject to regular backups. Such a requirement should be removed.
DEFINITION OF LOST INCOME: In addition to providing coverage for the net profit or loss during a business interruption, the policy should also provide coverage for:
- Continuing operating expenses (during the period of restoration)
- Costs to hire a forensic accountant: As required in order to quantify the loss. Some policies specify that the choice of forensic accountant will be selected by the insurer however insureds should attempt to remove this requirement.
- Extra expenses: Such as; payroll, costs to restore business operations and other necessary expenses. Broader policies further extend those expenses to include; costs involved with hiring a cyber response firm for consultation on mitigating said damages, and more importantly…costs incurred to secure computer systems in order to minimize future disruptions.
EXCLUSIONS: Some policies contain notable exclusions that severely restrict coverage for certain damages. The following exclusions should be reviewed carefully, and avoided or softened as much as possible.
- Damages to 3rd parties and contractual penalties
- Costs to improve the network/system and correct deficiencies. Even absent such an exclusion, many policies will omit these expenses from covered damages.
- War & Terrorism Exclusions. Given that ransomware attacks are often deployed by foreign actors and considering the potential for state-sponsored attacks, policyholders should carefully review (and attempt to soften) their policy's war exclusion. Insureds should also be sure to partner with insurers that have a strong reputation for claim payments, as opposed to those that have a “decline first” mentality.
- OFAC Exclusions: In light of DOT’s recent advisory sanctioning fines for those that facilitate payments to certain actors, organizations should be on the lookout for any OFAC exclusions which may become more common in the coming year(s).
CONDITIONS PRECEDENT TO COVERAGE: Some policy forms contained a longer list of conditions required to be met prior to coverage being triggered, those might include: making every reasonable effort to determine extortion is not a hoax and/or requiring the ransom to be negotiated. These should be avoided due to being a minority in the marketplace, and putting undue burden on the insured.
It’s also important to remember that cyber insurance is no replacement for strong internal controls, which all organizations should be implementing. Regular (and multiple) encrypted backups, advanced email detection, password change protocols, and employee training programs are some of the most effective controls in preventing such attacks.
To receive our assessment guides, coverage checklists, updates and alerts as they are released SUBSCRIBE HERE