Ransomware and Cyberinsurance

James Carter, Omid Safa, and Jared Zola

At the beginning of 2017, many publications predicted that ransomware would be one of the most significant cyber threats of the year. The year is not even half over and that prediction appears to be coming true.

On Friday, May 12, 2017, tens of thousands of organizations and companies across the world fell victim to a virulent form of ransomware known as “WannaCry.” The global event has been recognized as one of the largest cyberattacks ever.

Ransomware is not a new cyber threat. But the WannaCry ransomware attack stands out in terms of its scale and complexity. A broad swath of companies, organizations, and governmental agencies in more than 150 countries found themselves in its crosshairs. Reportedly, WannaCry took advantage of code developed by the NSA that was leaked to the public by hackers. Once it infected a computer, it actively spread to other computers on the network. Victims had a matter of hours to pay the ransom or the ransom would increase. Fortunately, the WannaCry attack was blunted after a cybersecurity researcher registered a domain that operated as a kill switch. Even so, companies and organizations may continue to experience the lingering effects of the attack. Some have warned of a second wave of ransomware attacks.

The WannaCry attack highlights how cyber threats are evolving and can cripple an organization’s ability to operate, resulting in lost profits and extra expenses, in addition to the cost of the ransom. Some companies and organizations may also face liability due to the inability to provide services.

Cyberinsurance can play a vital role in helping companies and organizations recover and mitigate losses from a ransomware attack and other cyberattacks. But as we have discussed in prior posts, not all cyberinsurance policies are the same and it is essential that policyholders seeking to maximize their coverage pay attention to the fine print when purchasing cyberinsurance.[1]

The coverages often found in cyberinsurance policies that could help alleviate losses from a ransomware attack include:

  • Cyber Extortion: Cyber extortion coverage compensates the policyholder for monies paid in response to a ransom demand. In a recent article, we discussed how some cyberinsurance policies offer more generous terms for cyber extortion coverage than others by covering, for instance, not just the ransom itself but also costs related to the payment of the ransom and compliance with the extortionist’s demand.[2] Cyber extortion coverage typically requires the insurer’s consent prior to paying a ransom, and some policies may require the insured to alert the authorities, as well.
  • Business Interruption and Extra Expense: The ransom payment may be the tip of the iceberg when it comes to losses from a ransomware attack. Ransomware can impair computer systems for days, weeks, or even months, which in turn can cause lost profits and other expenses related to recovery from the attack. Cyberinsurance policies often feature coverage for business interruption and extra expense caused by a cyber incident. The scope of such coverage varies from one policy to another. For example, the period of restoration may vary in duration among policies. And some policies may cover any extra expenses that would not have been incurred but for the interruption, while others may cover only certain categories of expenses or impose certain additional requirements, such as obtaining the insurer’s consent prior to incurring extra expenses.

With more and more companies and organizations relying on hosted services, the coverage for business interruption and extra expense should extend to the insured’s losses resulting from the impairment of a service provider’s network, as well.

  • Breach Response Costs: As with any type of cyber incident, ransomware can cause an organization to incur costs investigating effects of the attack on the network and ascertaining whether it must comply with breach notification or other privacy laws. These costs can be substantial. Cyberinsurance can help alleviate such costs by covering breach response costs. Once again, the breadth of such coverage varies from policy to policy.
  • Data Recovery: Because ransomware targets and encrypts data, it may be necessary for some insureds to take steps to recover lost or impaired data. Data recovery coverage reimburses the insured for the cost to replace or restore computer programs, software, or data damaged or destroyed in a cyber incident. Not all policies feature this coverage, however.

In addition, policyholders should pay close attention to how the insurance industry responds to attacks like WannaCry. The cumulative impact of such a widespread attack can cause significant losses to the insurance industry all at once, and prompt insurers to reevaluate their existing cyberinsurance forms. In particular, events like the WannaCry attack may encourage more insurers to include broader exclusions in their policies. Policyholders should avoid such exclusions.

Submitting Notice

Those companies and organizations affected by the WannaCry attack should consider notifying their insurers. Cyberinsurance policies often feature complex notice requirements. Different requirements may apply to different coverages in the same policy. Some insureds may be tempted to forego providing notice because the losses seem insignificant or within the SIR or retention. But the situation may look different in hindsight, after accounting for costs arising from the attack is complete. Also, many policies feature related claim provisions. If a related incident occurs in a subsequent policy period, the provisions of the subsequent policy may dictate that the incident relates back to the policy period when the initial incident was first discovered. The failure to provide notice in the first policy period could jeopardize coverage for future related incidents. Moreover, many policies have separate notice provisions for claims, such as lawsuits; thus, it may be necessary to provide timely notice of any claims.

In addition to cyberinsurance, insureds should consider any other policies that may provide coverage, such as their kidnap and ransom, fidelity, and property polices, and provide notice, if appropriate.

In conclusion, the WannaCry ransomware attack highlights the growing and evolving array of cyber threats that can affect companies and organizations in any sector. Unfortunately, it may not be possible to prevent every threat from turning into a cyber incident. A properly drafted cyberinsurance policy can help companies and organizations recover and mitigate losses. Those companies and organizations affected by WannaCry should also evaluate whether to provide notice to their insurers under their cyberinsurance or other policies.

[1] Omid Safa et al., “Managing Cyber Risks: Tips for Purchasing Insurance that Works for Your Business,” Feb. 13, 2017, available at https://goo.gl/NLoYoo.

[2] James Carter, “The Ins and Outs of Cyber Extortion Coverage,” Risk Management, Dec. 2016, at 32, available at https://goo.gl/d7x2dK.