Insuring Your Business Against Cyber Risks (Part Three — Ransomware)

Below is the third in a series of posts from Emergent partner Peter Roldan on the increasing need for cyberinsurance.  His prior posts in the series are here and here.

Ransomware is a type of malware that encrypts data stored on an organization’s computer network, preventing users from accessing it unless a ransom is paid.  After infiltrating a computer network to install the ransomware—often through the use of “spearphishing” or other social engineering attacks—the attackers then demand money in exchange for an encryption key to decrypt the data being held hostage.

The use of ransomware has become more widespread because the tools used to mount an attack are easier to access than ever and the costs of an attack are minimal.  Although large companies with the resources to pay a ransom and organizations that hold particularly sensitive data, such as hospitals, are among the most common targets for ransomware attacks, any company that stores data on a network can become a victim.

Maintaining up-to-date security measures, regularly backing up data, and training employees to be aware of social engineering threats are actions all organizations should be taking in order to mitigate the threat of a ransomware attack.  Insurance is another key component of any risk-management strategy.

Many cyberinsurance policies include or offer coverage for cyberextortion, which can cover ransom payments made to recover encrypted data, as well as associated losses and expenses.  However, policyholders should be aware of the following issues that may arise when the time comes to make a claim.

Notice: Policies may require an insured to give notice of a ransomware attack as soon as it is discovered, or at the very least within 30 days.

Deductibles: Under many cyberinsurance policies, a deductible applies to all first-party claims, including ransomware.  Often, the deductible will be more than the amount of ransom being sought by an attacker.

Genuine Threat: Some policies require an insured to prove that a payment to a ransomware attacker was made under duress or that the threat was genuine and not a hoax.

Conditions: An insured may be barred from disclosing the existence of coverage for ransomware claims to an attacker.  Policyholders may also be required to cooperate with the insurer and coordinate any response efforts.

Coverage Exclusions: Many policies contain exclusions for acts of war, acts of foreign enemies, or government acts.  Acts of terrorism may also be excluded.  In addition, claims against an insured for bodily injury that may occur as a consequence of a ransomware attack (e.g., against a health care provider that loses access to patient information) are typically excluded under the liability coverage available under most cyberinsurance policies.

Security Measures: Many policies require policyholders to maintain adequate security measures, or to maintain the security measures disclosed in the policy application, and coverage may be barred if those measures are not in place when a loss is incurred.

While it is important to have cyberinsurance in place to protect your business, it is just as crucial to make sure that the policy will respond in the event of a loss.  To find out how Emergent can help you to maximize your recovery for claims for ransomware and other risks, contact us.