When it comes to cyber risk insurance, coverage for ransomware related claims is an important component. And with ransom attacks on the rise, it’s more important than ever. But organizations need to be careful not to develop a false sense of security over the simple placement of coverage. Not all ransomware coverage is created equal – as demonstrated below, terms vary greatly. At their most basic, policies should provide coverage for: 1) extortion demands/payments and reasonable associated fees, 2) resulting lost income, 3) asset restoration and potentially 4) reward reimbursement. A closer look should also be given to the definitions, terms and conditions as outlined below.
DEDUCTIBLES & SUB-LIMITS: Most policies today set a sub-limit when it comes to coverage for ransomware. It’s important to review this limit carefully. Demands may often (at least initially) be set on the low side, however they can quickly balloon to larger amounts. Additionally, it can be time consuming and costly to conduct a forensic investigation and restore digital assets once they are returned. In addition to the number of records/files on the network, all of these factors should be taken into account when performing a limit review. Due to the potential for lost income, time deductibles on business interruption coverage should also be reviewed. Lastly, it’s important to remember that, making a ransom payment may result in the payor being placed on a “white list” thus creating a soft target for follow up ransom demands. Due to this potential, organizations should keep in mind the possibility of being affected more than once in a policy year.
PAYMENT TERMS: Almost all policies are written on a reimburse basis but do require prior written consent. This requirement, which can be difficult to sidestep, can result in payment delays and increased demands. Insureds should also be very careful not to make any payments (even those below the deductible), so not to compromise coverage. Lastly, stronger policies will also contain affirmative statements indicating such consent may not be unreasonably withheld, which is a nice feature.
DEFINITION OF "EXTORTION": The definition of extortion demand will dictate the trigger for coverage. More basic forms may limit this to threats to “sell or disclose PII” or induce a DDOS attack – such narrow definitions should be avoided. Broader policy forms will include a wide range of threats, including threats to:
- Cause payment or fund transfer: This may sound obvious but I consider this the single most important “threat” definition against the standard ransomware attack. While such attacks may intend to “sell or misuse” information, the ransom demand will likely make no such statement. Aside from a count down timer and demand, there is often little said. A carrier truly seeking to deny coverage could attempt to lean on some of the below language, indicating that there is no explicit threat to sell or misuse the information.
- Access, sell, disclose or misuse info: At the bare minimum, this info should include PII, PHI and CCI. However, broader policies will define this more simply as “data stored on your network” and include “digital assets” (which include your business information). This is an important consideration for companies with IP, etc. The “acts” should also be considered. Some policies require a threat to sell or disclose the data, whereas broader definitions will more simply define the trigger as threats to merely “access” such information.
- Alter, damage or destroy software or programsIntroduce malicious software: Insureds should carefully review the definition of malicious code and any exclusions to make sure viruses and self-propagating code are not excluded.
- Impair or Restrict access (DDOS attacks): This should include interference with your software and systems/network. Policies with the broadest terms will contain more open definitions such as “threats to disrupt business operations”.
- Pharm or phish your clients: These attacks involve impersonating the insured in order to gather protected information from its clients. It should be noted, many policy forms were absent of this wording.
- Use your network to transmit malware
- Deface or interfere with your company’s website: Historically a common target for ransomware.
EXTORTION EXPENSES: Some policies simply define this as reasonable fees and expenses, which does appear broad but there is always a question of what is “reasonable”. Buyers should be careful to ensure the following are included:
- Monies or property surrendered to a 3rd party: It’s important to ensure any definition of “Monies” is inclusive of digital currency/bitcoin. And if employees are explicitly excluded from those 3rd parties eligible to receive payment – rogue employees should be carved back.
- Costs related to hiring negotiators and consultants
- Travel expenses & accommodations
- Investigation costs
- Losses incurred while attempting to make such a payment
- Asset Restoration expenses (sometimes separated into extra expenses or separate e-vandalism expenses). This should include cost of reproducing or replacing the media/data, labor for decryption and costs associated with addressing system vulnerabilities.
EXCLUSIONS: Some policies contained notable exclusions that severely restrict coverage for certain damages (as listed below). Policies with such language (particularly pertaining to 3rd party damages and business interruption) should be avoided entirely.
- Damages to 3rd parties and contractual penalties
- Business interruption
- Value of assets or trade secrets
- Costs to improve the network/system and correct deficiencies
- Additionally policy-wide exclusions should also be reviewed to ensure there are no particularly problematic exclusions that might apply to the extortion insuring clause.
CONDITIONS PRECEDENT TO COVERAGE: Some policy forms contained a longer list of conditions required to be met prior to coverage being triggered, those might include: making every reasonable effort to determine extortion is not a hoax and/or requiring the ransom to be negotiated. These should be avoided due to being a minority in the marketplace, and putting undue burden on the insured.
CLOUD CONSIDERATION: Due to the frequency at which companies use 3rd party providers for data storage and software solutions (among others). It’s important to consider how a ransom demand affecting a cloud provider might implicate coverage. In order to ensure coverage will respond, insureds should carefully review the definition of “network” and/or “computer systems” to ensure they are inclusive of computer systems owned by, controlled by, or leased by the insured. The definition should also include 3rd party/cloud providers.
It’s important to remember that cyber insurance is no replacement for strong internal controls. Regular (and multiple) encrypted backups are one of the most effective ways of preventing such attacks. As an added tip, if/when you find yourself the victim of such an attack, the FBI/DOJ may actually already have the encryption key on file – a quick phone call to these agencies may just save you.