We’ve discussed the rise of ransomware on a couple of occasions, including most recently with the WannaCry incident. Safeguarding clients against the potential of a ransomware attack is an important component for organizations as illustrated by WannaCry and the most recent Petya ransomware attack, and can be included as part of a Cyber Liability insurance program. Typically, coverage is provided for extortion demands/payments and reasonable associated fees, resulting in lost income, asset restoration and potential reward reimbursement. But it’s also important to look at several critical issues, including the definition and terms and conditions of coverage, when securing ransomware insurance as part of an organization’s program. This includes the following:
- Evaluate the deductibles and sub-limits on the policy for ransomware. Cybercriminal demands typically may begin on the low side but quickly balloon to larger amounts. It can also be time-consuming and costly to conduct a forensic investigation and restore digital assets once they are returned. In addition to the number of records/files on the network, all of these factors should be taken into account when performing an insurance limit review. Also, because of the potential for lost income, time deductibles on business interruption coverage should also be reviewed.
- Look at ransomware payment terms: Most policies are written on a reimbursement basis but do require prior written consent. This requirement can result in payment delays and increased demands. Clients should also be very careful not to make any payments (even those below the deductible), so as not to compromise coverage.
- How extortion is defined. The definition of extortion demand will dictate the trigger for coverage. More basic forms may limit this to threats to “sell or disclose PII” or induce a DDOS attack, but there are broader policy forms that include a wide range of threats, which need to be evaluated. RPS can discuss these with you in detail.
- The definition of extortion expenses: Some policies simply define this as reasonable fees and expenses. Be sure “reasonable” expenses include such things as monies or property surrendered to a third party, costs related to hiring negotiators and consultants, travel expenses and accommodations, investigation costs, losses incurred while attempting to make such a payment, and asset restoration expenses.
- Policy exclusions: These need to be carefully vetted to ensure the policy will respond. Exclusions to look for include: damages to third parties and contractual penalties, business interruption, value of assets or trade secrets, costs to improve the network/system and correct deficiencies.
- Cloud consideration: Review how ransom demands involving a cloud provider might impact coverage. To ensure coverage will respond, carefully review the definition of “network” and/or “computer systems” to make sure they are inclusive of computer systems owned by, controlled by or leased by the insured. The definition should also include third party/cloud providers.
Of course, in addition to having the right insurance product, robust internal controls are necessary to help prevent ransomware, including having encrypted backups that are regularly performed.
RPS provides Cyber Liability insurance to a wide range of companies and professions, and offers policies that include Privacy Liability, Professional Liability, Network Security Liability, Media/Website Liability, Notification Expense, Regulatory Proceedings, Brand Protection/PR, Business Interruption, Damage to Systems, Electronic Theft and Cyber Extortion.