Your worst nightmare has come to fruition and a hacker has taken your systems offline and data hostage until you agree to pay their ransom demands. Thankfully you previously took the initiative to purchase insurance for emergencies like this, but how do you ascertain whether your insurer will compensate your financial losses in this situation?
By Sjaak Schouteren and Claire Davey, Cyber, Media & Technology Practice
The following considerations will help you to identify where adjustments can be made to ensure that your balance sheet doesn’t take an unnecessary hit when ransomware hackers strike:
Silent Cyber and Uninsured Gaps
The most common insurance policies that companies purchase to cover their losses are property and general liability programmes.
Many companies assume that without an explicit cyber exclusion, their cyber losses will be covered during an incident. However, as cyber events do not generally trigger these traditional policies, business interruption or third party losses would not be covered in this instance.
“Business interruption and the cost of resuming system function are usually the biggest uninsured gaps that cause the highest losses for insureds” highlights Winston Krone, Global Managing Director at Kivu Consulting.
In some cases, the extortion demand arising out of a ransomware attack could be (unintentionally) covered under a kidnap and ransom policy.
However, the experts sourced by a K&R policy would not (in most cases) specialise in negotiating with and responding to cyber-related extortion incidents. Having a comprehensive cyber policy would give you access to a panel of vendors with the expertise to help you mitigate any potential losses that could arise from a ransomware attack.
What Standalone Cyber Liability Covers
A cyber policy would indemnify the insured for the business interruption arising out of a ransomware attack, providing coverage for their reduction in net income and increased costs of working incurred as a result of the attack.
Cyber coverage would provide data restoration coverage to replicate, replace or restore any data that is lost, corrupted or erased by the ransomware. A cyber policy would also respond to third party claims arising out of the attack.
These could come in the form of regulatory fines and penalties, claims of negligence from contracting third parties, and from legal actions levied by individuals whose data may have been stolen or exposed during the attack.
Challenges to Obtaining Indemnification
Under the General Data Protection Regulation (GDPR), companies can face costly fines if personal data is breached during the ransomware attack and the situation is not handled appropriately.
“Although cyber policies are usually pretty generous when it comes to recouping loss of revenue, it is difficult to get fines insured in many jurisdictions, as it takes away from the point of the sanctions”, comments Jurriaan Jansen,
Privacy and Cyber Of Counsel at Norton Rose Fulbright LLP. Cyber policies can respond to third party claims for regulatory fines and penalties, but this may take longer to indemnify with all the legislative red tape.
In some territories where insureds have exposure, it is illegal to pay cyber extortion ransoms, as it is construed as funding terrorism.
As such, the insured would be unable to fund the ransom and seek indemnification under the policy. However, the incident response panel would work alongside the appropriate law enforcement authorities to ensure that the correct protocol is followed.
Should the ransomware enable the hacker to steal monetary funds from bank accounts, the value of this money would not be covered under a cyber policy, as it is a direct financial loss. However, the insured could seek indemnification under a crime policy for this aspect of the claim.
Lastly, should the incident reconfigure heavy industry machinery, including critical infrastructure, to overheat or explode and ultimately cause property damage and/or bodily injury, this would not be covered under a typical cyber policy.
However, should insureds be particularly susceptible to these exposures, bespoke solutions can be tailored to respond accordingly.
The Legal Implications of Ransomware
In most cases, expert vendors will work with the insurer and broker to get the best solution for the client.
Jurriaan advises having a policy document that highlights “a clear, well-organised and detailed process that the company must follow in the case of a ransomware incident, so that the right people are contacted and the correct steps are taken to limit the damage as much as possible”.
We would advise you to check the legislation regarding ransoms in the countries you operate in, as paying a ransom is illegal in some territories.
Do Insurers Pay Ransomware Claims?
The most important function of cyber insurance is to bring a company back to its original state prior to any type of incident. In other words, the expert panel - in collaboration with the insurer and broker - will do everything they can to get the company back on track.
The same will be the case in reference to a ransomware incident. In summary, if all of the appropriate prevention measures are in place, there is no reason for insurers not to pay-out.