Ransomware Risk: 4 Questions to Ask to Optimize Cyber Insurance
Following the “WannaCry” ransomware cyberattack in at least 140 countries, insurers, brokers and cyber risk management specialists are working with businesses to report claims, improve and expand existing cyber insurance coverages, and implement cybersecurity best practices.
This is the second cyber “aggregation threat” incident of 2017 and there’s every indication the next wave of ransomware attacks will be more disruptive and harder to halt.
Targeting a Windows vulnerability, WannaCry locks up a computer system it infects until the victim pays a ransom. Multiple organizations affected have confirmed the average individual ransom demand from the attacks at $300, with some companies receiving a $600 demand to be paid in Bitcoin, a cryptocurrency popular with hackers. With more than 200,000 organizations believed to have been infected, experts, including Vikrum Thankur with Symantec, believe total repair costs could be in the tens of millions of dollars.
What stopped WannaCry was an accidental IP address weakness that was exploited to prevent further spread. However, the malware could be reconfigured minus the IP weakness and then the process could start over again. In fact, there are already other similar but more destructive ransomware tools being tested that will be up for sale on the dark web shortly.
The actual ransom cost is minimal compared to the costs associated with retaining forensic expertise to identify the scope of the attack and provide remediation services, the business interruption losses and the cost to repair and restore a network.
Additionally, given how courts have recently granted standing for class action suits relating to breach events and cyber, this massive attack is likely to trigger a wave of cyber liability lawsuits in a manner not seen before. For example, the healthcare industry could be vulnerable to such lawsuits if critical services to patients were interrupted due to a cyber incident.
Amid the real possibility of another ransomware attack, businesses should take proactive steps to ensure their cyber risk management practices, cyber service providers and cyber insurance policies are equipped to respond effectively to ransomware attacks.
This includes developing a robust response plan with all organizational stakeholders outlined and aware of their duties. Making sure IT or a cloud provider regularly backs up organizational data is also crucial.
These are four questions that businesses and their brokers should be asking to help ensure their insurance policies are optimized to handle ransomware effectively:
- Does the business have a cyber policy in place with a specific cyber extortion or ransomware coverage grant? This will not reside in a crime, employment practices liability (EPL) or other management liability policy.
- Does the cyber ransomware/extortion coverage contemplate payment in bitcoin or other crypto currency? If not, the coverage is not addressing the major ransom type requested.
- Does the cyber ransomware/extotion coverage allow for forensic expense costs and/or other expenses to be covered in relation to a ransomware event? Identifying the source of the ransomware exploit, if any further damage was done and if there was personally identifiable information (PII) or protected health information (PHI) exfiltration are critical items in a ransomware event and are typically considered forensic expense.
- Does the policy include first party business interruption and network recovery expenses coverage? A major threat of a ransomware event is business interruption and the cost to restore its network to a pre-extortion state. These coverage grants work in conjunction with cyber ransomware cover and must be broad form.
It is important to keep in mind that all cyber policies are not created equal and typically have different clauses or coverage grants. There also is no uniformity among the language or terms within the grants. Some policies offer ransomware coverage while some do not, and not all cyber policies include the use of bitcoin or other crypto currency.
While it’s true that large corporations may still be the most lucrative targets for hackers, including cyber-extortionists, small and middle market (SMB) businesses increasingly are targeted. However, most SMB businesses remain unconcerned about cyberattacks. According to a 2016 report by the National Federation of Independent Business, SMB business owners rank cybercrime 51 out of 75 possible business concerns.
This is in spite of the fact that cybercrimes are up significantly in all categories. Ransomware attacks, for instance, rose from 3.8 million attacks in 2015 to 638 million in 2016, according to a report published by SonicWall.
It is incumbent on organizations to make sure they have purchased the right kind of cyber coverage. Without a comprehensive cyber insurance program, companies may be forced to pay out-of-pocket for system remediation costs, business interruption losses and any potential liabilities resulting from an attack. For small to medium sized corporations, this could be a financial catastrophe.
For organizations that have been dragging their feet on whether to obtain cyber coverage, WannaCry is a warning shot that cyber threats are a real and serious matter that need to be addressed sooner and not later.