While the ultimate decision on whether to pay a ransom demand is the insured’s, they should involve their cyber insurance carrier in those conversations as part of their documented incident response plan. Involving the insurer helps mitigate the moral hazard, as payment of ransom funds encourages criminal actors.
Coverage for Damages
As cyber insurers have struggled to keep pace with the surge in ransomware attacks, they have asked more detailed and probing questions during the underwriting process and raised their threshold for what they consider to be satisfactory responses. As experts like Fortinet suggest, ransomware settlements should be avoided if at all possible. Implementing strict protocols and security strategies will help with securing a cyber insurance policy. As a result, organizations now buying ransomware coverage must be prepared to address all possible consequences of a successful attack. As a result, more businesses are looking into ransomware cyber insurance, which covers specific cyberattack-related damages and pays ransomware settlements to the perpetrators.
Depending on the details of the policy, ransomware coverage might assist with paying a ransom demand and recovering data from backup servers. It might also help with legal expenses and public relations costs resulting from the attack.
It is essential for a business to keep in mind that it must report its ransomware event formally to its insurance carrier within the required time frame. This starts the investigation/response process and often involves engaging breach counsel, forensic IT specialists, and cyber extortion case managers. There will usually be hourly or daily status updates with the insurer and its counsel.
In addition, the insured should be prepared to avoid revealing its policy limits and other coverage information to the attackers. This is because disclosing this information will likely encourage the attackers to increase ransom demands.
The last thing any business wants to do is pay a ransom demand and then suffer significant losses in the future due to the failure of their systems or from lost revenue due to downtime. This is especially true if the attacked company has adequate cyber/e&o coverage and can recover from its direct payments.
Coverage for Business Interruption
Aside from paying ransom to extortionists, many cyber policies also reimburse businesses for income lost because of the cyber attack. This is known as business interruption coverage and is included in most major cyber policies. This is important since business interruption losses are often far more than the direct cost of ransom pay.
For example, a manufacturing facility utilizes computer systems to receive orders, process designs, and produce machinery. A hacker executes a denial of service attack and shuts down the plant for three weeks, resulting in lost sales and a loss of income for the manufacturer.
Cyber insurers have adapted their policy language to reflect the changing exposure landscape and rising ransomware losses. As a result, they are now demanding more detailed information from prospective insureds during the underwriting process and raising their thresholds for satisfactory responses.
The best cyber insurance policies will include a broad definition of “computer systems” that provides for data, networks, associated devices, backups (including offline backups), ICS & SCADA systems, security cameras, and other connected equipment. In addition, the policies should provide comprehensive business interruption coverage that is not limited to just revenue.
Getting the correct type of cyber insurance is necessary for companies of any size, as the threat landscape is rapidly evolving, and no one is immune to a cyber attack. Proper internal controls, such as regularly conducting backups, advanced email detection, password change protocols, and training programs, can help protect firms from the most common attacks.
Coverage for Data Recovery
One traditional response to ransomware is for firms to have adequate backups. This allows them to revert to these backups during ransomware attacks and avoid paying extortion demands. Cyber insurance typically helps cover the costs of restoring these backups.
Cyber insurance typically also helps cover fees associated with a cyber extortion event, such as infrastructure rebuilding expenses, travel expenses for negotiators and consultants, and the cost to replace hardware. However, insureds need to remember that ransom does not guarantee that the system will be returned to its original state. It is always better for an insured to focus on strengthening their security protocols and investing in preventative measures to minimize the risk of a ransomware attack in the first place.
Many cyber policies are “package policies” that include multiple types of coverage under a single policy. Each of these may have its limits of liability, which may seem separate from each other, but often are not. Payment of a ransom demand reduces the availability of these other limits, including the amounts available for breach of privacy losses, government investigations and fines/penalties (in cyber/E&O policies), or business interruption loss.
Additionally, suppose a firm pays a ransom to an entity on a sanctions list. In that case, it can trigger an additional exposure that would require the insurer to investigate and may result in the insurer denying any claim. Insureds must carefully review the terms of their policies to ensure they are adequately protected.
Coverage for Third-Party Liability
One of the most common responses to ransomware attacks is to purchase a cyber insurance policy. 68% of middle market companies have such a policy this year, up from 57% last year.
A cyber insurance policy typically covers loss from hacking, theft, data destruction, and failure to safeguard data. Including coverage for business interruption and cyber extortion in the procedure is also possible.
Some policies also have an additional coverage called third-party liability that provides for losses sustained by customers, clients, or other third parties because of a ransomware attack. This can be a valuable addition to help prevent costly lawsuits.
With the rise of ransomware attacks from criminal hackers and even State actors, insurers have adapted their underwriting practices. They are asking more probing questions and have higher thresholds for what they consider a satisfactory response. They have also changed their premiums and terms.
As a result, many insureds are advised to avoid any communication with their attackers that could reveal information about coverage limits or other policies, which could void the coverage or embolden attackers to make more considerable extortion demands. This can also result in delays, as the insurer conducts invasive investigations that could trigger a claim dispute.
Cyber insurance is a great tool to have in your arsenal of tools for fighting against a ransomware attack, but it should be used sparingly. You have strong defenses to minimize the risk of being targeted in the first place.