Selecting an appropriate cyber insurance policy can seem daunting. There are a number of different cyber events that have the possibility to impact businesses differently based on a number of factors, including the company’s network design and cyber security readiness. The market for cyber insurance policies does not have a widely-accepted form that is predominantly used by carriers, brokers, or policyholders, resulting in approximately 70 carriers drafting their own cyber insurance policies, many of which are negotiable. Lastly, the risks and technology at issue evolve quickly, adding uncertainty and the potential for a “new” event that may not be covered appropriately by your company’s current policies.
Indeed, ransomware is a classic example as it soared to “prominence” in recent years only to see cyber criminals rely more on cryptominers in the early part of 2018. Nevertheless, by the end of 2018, with cryptocurrency valuation declining, there were signs that the use of miners had begun to fall. While, overall, this lead to the decline in “the number of active ransomware families[,] the total number of new variants increased, meaning the ransomware operations that remained active pumped out more samples, more often.” And “the chances of ransomware payloads being detected and blocked prior to execution are becoming increasingly low.” Ransomware attacks are expected to reach a global cost of $20 Billion by 2021.
The following are some (though clearly not all) practical considerations when evaluating your company’s coverage for ransomware attacks. First, discuss the deductibles and sublimits related to the cyber extortion coverage with your information technology (IT) department in the context of your network’s design and of the impact a successful ransomware attack could have on your network. Many cyber insurance policies contain a deductible that is much higher than the average ransom demanded, while placing a sublimit on cyber extortion coverage that is less than the policy’s overall limit and could be less than the overall costs of the attack should the company not be adequately prepared. Policyholders and the appropriate, internal IT liaison should fully discuss the impact of the deductible and sublimit for ransomware attacks in the context of your company’s cyber-incident response strategy, the difficulty in restoring your network from back-up data, and the damages that would result in the interim.
Second, does the policy require notice to the carrier and consent before the ransom is paid? Many policies require advance notice to the carrier and the carrier’s consent before paying the ransom. While that may not be an issue for some companies, it can cause issues particularly if the delays in decrypting or restoring the company’s data increase the risk of bodily injury or property damage. For example, even minimal delays in decrypting a hospital’s data could result in bodily injury or death. Policyholders should consider what actions a policy requires under its extortion coverage before paying a ransom and whether those requirements will impact the company’s response and/or its customers if a cyber extortion event occurs.
Third, policyholders should discuss and decide internally if they want to control the outside vendors that are used in the event of a ransomware attack. Many policies require policyholders to select outside vendors such as forensic investigators from a pre-approved list of providers. If your company has selected its vendors and wants to keep them, check the pre-approved list and confirm those vendors are included, or negotiate an appropriate amendment with the carrier.
Fourth, policyholders should carefully evaluate the business interruption coverage under their cyber insurance policies and determine the effectiveness of their policies’ responses to the company’s particular needs in the aftermath of an attack. For example, is the policy triggered by all cyber events, including cyber-extortion events? Does it adequately cover “extra expenses” to mitigate a loss and the lost business income stemming from an event? Lastly, if your company relies on third-party vendors that are susceptible to similar attacks, does your coverage include contingent or dependent business interruption that will cover your losses if a vendor is impacted by a ransomware attack?