Insurance lawyers are watching the ransomware trend with alarm. Attackers now demand that victims disclose details of their cyber policies to bolster their payment demands. This cooperation voids coverage and may encourage attackers to make larger requests in the future.
Understanding your existing coverage is crucial in determining what kind of protection your business needs. Here are three key factors when choosing cyber insurance for ransomware settlement.
Cost
Many organizations struggle with whether to pay extortionists in ransomware incidents. Cybersecurity experts like Fortinet warn against paying ransomware settlements as they tend to put a target on your companies back for future attacks. But the reality is that paying a small ransom is far less costly than recovering from an operational disruption lasting weeks or months.
Large payouts to insurance providers can be expensive, so they often include limitations to ensure that the policies only cover incidents involving companies with the necessary defenses and do all they can to thwart an attack. As such, many insurance policy exclusions require careful review to understand.
Insurers also need to be careful not to create incentives for extortionists. As a result, they tend to react quickly to changes in the attack landscape. According to proprietary research from a digital risk firm, the frequency of ransomware attacks tends to ebb and flow. Insurers will rapidly adjust their pricing when the frequency peaks to reflect the higher risks.
Organizations should also know the potential for sanctions exclusions in their cyber insurance policies. Many countries have a list of sanctioned individuals and entities, and an organization can unknowingly violate sanctions through its payments or communications with attackers. This can create additional exposures and delay claims. Staying abreast of sanctions lists and carefully considering all possible payment options when negotiating with attackers is essential.
Coverage Limits
In the past, cyber insurers could keep premium costs reasonable and profit margins high by keeping ransom payments modest compared to the value of the data being held hostage and traditional property and liability insurance losses. Even if the victim did pay a ransom, it was typically in the thousands of dollars range and thus not a significant portion of the total recovery cost.
However, as ransomware attacks became more sophisticated, many insureds found themselves in a Catch-22. Minimizing liability risk by quickly paying a ransom exacerbates the threat of further attacks by encouraging criminals to increase their demands. On the other hand, refusing to pay a ransom risks exposure to lawsuits from customers, shareholders, and third parties for breach of duty to mitigate.
To help overcome these dilemmas, law firms coordinating breach response continued to offer “ransomware-settlement-as-a-service” packages, which allowed clients to cloak communications with hackers on the darknet, barter over demands, and obtain and pay ransoms in cryptocurrency, all while minimizing exposure to privacy breach claims. Increasingly, this strategy was being offered as part of the overall incident response package offered by some cyber insurers. Yet such services do not satisfy the industry’s requirement for robust loss mitigation, which requires policyholders to notify and cooperate with investigators and refrain from discussing a claim or negotiation with criminals.
Coverage Exclusions
A few insurers have specific stipulations on whether ransomware settlements are included or excluded. Policy language is constantly changing because this is a new and evolving product. Insureds should carefully review new products to understand the nuances of what these changes mean for their coverage.
For example, some cyber insurance policies contain a “Ransomware Extortion Sublimit.” This limits more than just the extortion payment—it also limits other first- and third-party losses (such as those resulting from an information privacy wrongful act or network security criminal act). This limitation is a crucial consideration for clients.
Another critical factor is whether the insurer requires a documented incident response plan (IRP) before making payments. If this is needed, the insured should ensure they have one in place and that it includes a protocol for notifying their cyber carrier promptly upon learning of a potential ransomware attack.
A formal incident response plan is also critical to help avoid triggering the “failure to maintain” clause in a cyber policy, which excludes coverage if a claim occurs due to an insured’s negligence. For example, failing to have an up-to-date backup system could trigger this exclusion. Educating insureds about preventative measures such as regular and multiple encrypted backups, advanced email detection, password change protocols, and employee training can reduce their vulnerability to ransomware attacks. It may help them avoid relying on this coverage.
Coverage Options
As insurers struggle with the cost of ransomware settlement, they have taken steps to limit loss by tightening policy conditions. These include requirements for multifactor authentication, more robust password policies, and a requirement that enterprises connect to cyber incident response services that can handle effective ransomware resolution. These are all welcome developments but should not be seen as a substitute for robust, well-resourced security programs.
In addition, insurers have begun to include ransomware in standard cyber insurance and data breach insurance coverages, often as a highly sublimated limit. Unfortunately, this incentivizes cybercriminals to identify whether the target has a full-coverage policy and, thus, is more likely to pay a ransom demand. This can lead to a vicious cycle, with attackers targeting companies most likely to produce and adjusting their needs accordingly.
In many cases, the only way to protect against this is to purchase a separate ransomware endorsement for your cyber insurance. However, this exposes your company to reputational harm and business interruption losses resulting from publishing a ransom payment or customer contact. Additionally, paying a ransom to an entity on a sanctions list could trigger a sanction exclusion in your insurance policy. Therefore, careful consideration is needed when choosing the right policy for your organization. This requires a thorough understanding of the ins and outs of your current policies, including the terms of any endorsements you have purchased.