Do you have the right policy to protect against ransomware?
Not only have ransomware and cyber extortion attacks been on the rise since the beginning of the pandemic, but ransom payment demands have climbed, as well. According to Verizon’s 2021 Data Breach Investigations Report: “The major change this year with regard to action types was Ransomware coming out like a champ and grabbing third place in breaches (appearing in 10% of them, more than doubling its frequency from last year).”
That leads to an important question for any enterprise: Would your organization’s insurance policies cover the losses from ransomware or cyber extortion?
What are ransomware and cyber extortion?
Ransomware is a form of malicious software used by hackers to gain access to your company’s computer systems or files and block user access to the systems or files. Cybercriminals hold the data hostage until they receive a pre-identified ransom payment in exchange for the encryption key. A cryptocurrency such as bitcoin is typically demanded by the attacker as payment.
Early ransomware attacks demanded a ransom to unlock the data or a device. Hackers currently, however, often initiate “double extortion” attacks that demand a ransom to both unlock data and prevent the publication of the data.
Cyber extortion, which was one of the earliest forms of cyberattack, has been happening more frequently. In a cyber extortion attack, the threat actors steal data, then tell the victim company what data they stole. They nearly always provide a virtual “proof of life,” such as a picture of a file tree that shows what parts of the network were infiltrated, and also might share a sample file or two. Then they will demand payment to take the data offline with a promise to destroy it.
What causes a ransomware infection?
Cybercriminals use various methods to infect networks and devices in ransomware attacks. Ransomware attacks may be initiated by the following infection methods:
- Phishing emails and other social engineering attacks. Cybercriminals send phishing emails that appear legitimate to unsuspecting employees who then click on the email and introduce the malware onto the company’s systems. Ransomware attacks also may be triggered by an employee’s visit to an infected website or to an advertisement containing malware injected into a legitimate website.
- System and software vulnerabilities. Cybercriminals exploit existing vulnerabilities to inject malicious code into a network or network. Zero-day vulnerabilities, whether unknown to the security community or identified but not yet fixed or patched, pose a threat.
- Credential theft. Cybercriminals steal authorized users’ credentials, buy them on the dark web, or crack them through force. They use these credentials to log into a network and deploy ransomware directly.
Coverage for ransomware and cyber extortion
A best practice for companies is to consider purchasing a stand-alone cyber insurance policy that provides coverage for extortion demands and ransom payments.
That might be easier said than done. Not all cyber insurance is equal, and insurance carriers will be quick to point out that not all of their policies have explicit coverage for ransomware and cyber extortion. In fact, cyber insurance is different from most other lines of coverage because the policies vary significantly from carrier to carrier and even from year to year.
Below are six best practices when buying, renewing, or evaluating insurance for ransomware and cyber extortion.
- Pay close attention to the application. Under many cyber policies, the insured represents and acknowledges to the insurer that the statements and information in the insured’s application are true and accurate, and material to the insurer’s agreement to accept the risk. The insured’s completed application might become part of the contractual terms between the insured and the insurer. Insurance carriers might take the position that in the event the application contains a misrepresentation or omission material to the insurer’s acceptance of risk, even if the omission or misrepresentation was inadvertent and not made knowingly, the policy provides that it is void.
For this reason, the insurance industry tries to put the burden on innocent insureds to “over disclose” information provided in an application. To avoid having a fight with the carrier and its outside counsel, it is a best practice to quadruple check the accuracy and completeness of responses to application questions and information and document requests, viewing the question from the perspective of a carrier’s outside counsel rather than the friendly underwriter and broker that want your organization’s business.
This means that insureds should work with multiple persons in the company, including, but not limited to, experienced IT, insurance, counsel, and executive personnel, to provide answers to the application, seek clarification from the underwriters if any questions are unclear, and overshare information to the extent required to properly and completely answer application questions, including attaching addenda to the application. In recent years, there has been an uptick in cyber insurer scrutiny of applications in the wake of high-dollar claims, looking for purported misstatements or omissions upon which to base an argument that the carrier is entitled to rescind coverage. A rescission action by a carrier is fact-intensive and expensive to defend, and if successful, could leave the insured without coverage for any claim during the rescinded policy period.
- Look for a coverage section called “cyber extortion” or “ransomware,” and make sure your organization buys that coverage. That coverage often includes the cost of paying a ransom and sometimes includes the costs of investigating the cause and origin of the attack, as well as remediating it. Not every policy has this coverage written into the policy explicitly. If the policy is offered “cafeteria style” – meaning the buyer must pick and choose the coverage to purchase – it is crucial to make sure the organization buys this coverage.
- Look for a coverage section called, “business interruption” or “business income and extra expense.” This type of coverage section often is similar to a first-party property insurance policy’s coverage and provides coverage for lost income and extra expenses resulting from ransomware taking networks offline.
- Look for a coverage section called, “network security liability.” This type of coverage often will cover the costs of defending and indemnifying third-party liability claims from customers or other third parties as a result of the failure of network security (often how ransomware and cyber extortion events occur).
- Consider the potential impact of any so-called “war” exclusion, particularly in light of recent world events. War exclusions have become the subject of debate when it comes to cyberattacks and insurance, with some recent and significant coverage litigation disputing whether a “war exclusion” applied to NotPetya (a form of malware that looked just like ransomware). Some carriers have left their “war exclusions” alone; other carriers have added significant verbiage to their exclusions. Changes to war exclusions could have a significant impact on coverage.
- Avoid sublimits and co-insurance. Certain insurance policies set a lower limit of coverage for cyber extortion and ransomware attacks. For example, a $10 MM limit cyber policy may provide only $5 MM for cyber extortion. Insureds should consider whether a proposed sub-limit amount is sufficient to cover a possible ransomware attack. Policies might also include co-insurance, a provision that carriers say requires the insured to match, dollar for dollar, amounts that the insurance carrier pays for ransom or extortion. Certain insurers continue to provide a full limit of liability for ransomware and cyber extortion event.
What steps can you take to get the most coverage for ransomware and cyber extortion?
Now you know what kind of insurance you should have in place (according to how insurance carriers view the world). What should you do when a cyberattack occurs? Below are select best practices that companies can take to get the most out of their insurance policies in the event of a ransomware attack or cyber extortion event.
- Provide immediate notice to the insurer. Insureds should provide immediate notice of a ransomware attack to their cyber insurer and all of their liability and first-party insurers. Notice to all relevant insurers should be given by insureds because coverage may also be provided under non-cyber liability policies such as liability, crime, and property policies. Delaying notice to insurers may result in the insurers arguing that notice was late and declining coverage for a claim that otherwise could have been covered.
- Secure consent from the insurer to pay ransom. Extortion coverage often requires insureds to ask and obtain written consent from the insurer before agreeing to pay the ransom. Insurance carriers assert that insureds put their extortion coverage at significant risk by failing to obtain their insurers’ prior written consent before paying a ransom, and that insurers may refuse to reimburse the insureds for payments made without obtaining consent in advance.
- Be mindful of cooperation. Insurance carriers constantly assert that their cyber policies require insureds to cooperate with the insurer. Their outside counsel will say that this requires the insured to do whatever the insurance carrier asks for, whether it is information relevant to the claim, or information that only will help deny coverage. Setting aside the worst-case scenario, insurance carriers want their insureds to coordinate with them and relevant authorities, provide updated claim information on request, and work cooperatively to resolve the event and third-party liabilities.
- Think about “silent cyber.” Consider whether other insurance policies such as kidnap, ransom and extortion, crime, or property insurance policies could provide coverage for resulting losses resulting from ransomware or cyber extortion. Although the insurance industry calls this “silent cyber” – the idea that other insurance policies, which are not sold as “cyber insurance,” can provide coverage for cyber risks, including ransomware and cyber extortion – there are cases ruling that other policies can and do provide coverage for ransomware-related losses. Other policies could help provide coverage if your cyber program’s limits are not sufficient, or even to fill in the amount of a sizable retention in your cyber program.
- Pay attention to a “reservation of rights.” A reservation of rights is a letter from the insurance company admitting that coverage is implicated by the event while purporting to “reserve” the “right” to deny coverage later. Sometimes, reservation of rights letters are flat wrong. Maybe the carrier misunderstood the facts, the policy language, or the relevant coverage law. Either way, insureds would be well-advised to pay attention to the reservation of rights letters and correct carrier misstatements.
This article should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own lawyer on any specific legal questions you may have concerning your situation. These views are the author’s own.