Finding the right insurance coverage helps mitigate ransomware exposuresReprints
Ransomware has become frighteningly pervasive and increasingly serious — a reality punctuated by the massive global WannaCry cyber attack that recently affected tens of thousands of organizations across a wide range of industry sectors.
Organizations can proactively manage ransomware risk through the adoption and implementation of robust cyber security and business continuity practices, and by training employees how to spot and avoid social engineering exploits, such as phishing emails. But there is no such thing as perfect cyber security, limits exist around what is feasible in terms of security and business continuity planning, and mistakes happen. Organizations must accept that they may face a ransomware attack.
Insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against the losses and exposures relating to a ransomware attack. Importantly, virtually all standalone cyber insurance policies offer specific coverage for ransomware and other forms of cyber extortion, in addition to other standard coverages.
Although cyber insurance can be extremely valuable, obtaining the right cyber insurance product presents significant challenges. There is no standardization among cyber insurance policies, notwithstanding that the associated marketing materials frequently make it seem as though the majority of policies available today are capable of an apples-to-apples comparison. This could hardly be further from reality. Cyber insurance policies vary dramatically. Although this creates challenges, it also creates opportunities.
Owing in part of the lack of standardization, organizations can achieve significant negotiated enhancements to off-the-shelf cyber insurance forms that dramatically broaden the coverage. Many, if not the majority, of these enhancements involve no increase in premium.
Organizations initially purchasing or renewing this type of coverage are well advised to engage the assistance of knowledgeable outside counsel at the outset to ensure that the appropriate insurance is in place when an attack occurs, and that coverage is maximized in the wake of an attack.
Here are 10 tips for maximizing coverage for ransomware and other forms of cyber extortion.
• Obtain a broad scope of coverage. Cyber extortion coverage should be written to cover as broad a range of potential threats as possible. The coverage should not be limited to ransomware, but should also cover the various other forms of cyber extortion potentially faced by the organization, including threats to obtain or release protected information — such as personally identifiable customer data, protected health information and confidential corporate information — or to discharge denial-of-service attacks that disrupt an organization’s networks, causing business interruption. By way of example, one recent off-the-shelf cyber policy extortion coverage grant promises to “reimburse Extortion Expenses incurred by an Insured in response to … an actual Network Extortion Threat,” which is defined to list specific types of attacks: “[A]ny credible threat or series of related threats directed at an Insured to: release, divulge, disseminate, destroy or use Protected Information or confidential corporate information of an Insured taken from an Insured as a result of the unauthorized access to or unauthorized use of an Insured’s Computer System or Shared Computer System; cause a Network Security Failure; alter, corrupt, damage, manipulate, misappropriate, delete or destroy Digital Data; or restrict or inhibit access to an Insured’s Computer System or Shared Computer System.” It is important to understand and negotiate the key definitions that define the scope of coverage to ensure that they are sufficiently broad to match the reality of risk faced by the insured organization.
• Obtain a broad definition of covered loss. Covered loss should include reasonable and necessary expenses incurred as a result of a covered threat, including the costs of investigating and assessing a threat, even if no ransom is paid; payment of cryptocurrencies, including bitcoin; any other consideration or action that may be demanded by the extortionists; and reasonable expenses incurred to mitigate or reduce other covered expenses.
• Pay attention to conditions. Organizations are advised to pay close attention to policy conditions, including notice and consent provisions, proof of loss provisions, allocation provisions, alternative dispute resolution provisions and any requirements that the organization notify law enforcement of the incident at issue.
• Beware of exclusions. Like any other insurance policy, a cyber policy may contain exclusions that may significantly curtail and undermine the purpose of the coverage. For example, some insurers insert exclusions based on purported shortcomings in the insured’s cyber security. Following one health care-related data breach, for example, CNA Financial Corp. filed coverage litigation against its insured, Cottage Health, seeking to avoid coverage based on an exclusion in the NetProtect360 policy at issue, entitled “Failure to Follow Minimum Required Practices.” Citing the exclusion, CNA alleged that coverage was barred because its insured failed to “continuously implement the procedures and risk controls identified in its application,” to “regularly check and maintain security patches on its systems” and to “enhance risk controls,” among a host of “other things.” These types of exclusions, which are sometimes included in other insurers’ policies, too, should be rejected.
• Be aware of sublimits. Cyber extortion coverage may be written subject to a relatively low sublimit, such that, for example, a $10 million limit primary policy may provide only $250,000 or $500,000 for cyber extortion losses. As with the case of other cyber insurance terms and conditions, sublimits usually are negotiable, and should be sufficiently high to cover reasonably projected exposure.
• Obtain a “discovery” trigger. Cyber extortion coverage should specify that the coverage is triggered by the insured’s “discovery” of a threat, rather than by the occurrence of an incident after a certain “retroactive date.”
• WannaCry? Notify! Insurance policies typically contain notification provisions stating that the insured must provide notice “as soon as practicable” after it becomes aware of an incident. It is important to reasonably comply with notice provisions in order to not jeopardize coverage. It is important, moreover, for organizations to recognize that what begins as a relatively low cyber extortion demand may evolve into an incident, or series of related events, that triggers other coverage sections of the policy. Indeed, a ransom demand may be deployed as a purposeful diversion from a different, principal goal, such as stealing sensitive records.
• Obtain “consent.” Cyber extortion coverage invariably will contain a “consent” provision, which will require the insured organization first obtain the insurer’s approval to pay or incur costs, including the payment of ransom. Toward the goal of obtaining coverage, it is important that the insured reasonably comply with these types of provisions. Policies may be negotiated to state that the insurer’s consent may “not be unreasonably withheld.”
• Maximize coverage across the entire insurance program. Organizations are advised to consider all potentially applicable insurance coverages. A cyber extortion incident may trigger, for example, computer crime policies, kidnap and ransom policies and traditional property policies. The various policies that may be triggered by a cyber attack likely carry different limits, deductibles, retentions and other self-insurance features, together with various potentially conflicting provisions addressing other insurance, erosion of self-insurance and stacking of limits. It is important to carefully consider the best strategy for pursuing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio.
• Don’t take “no” for an answer. Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny an insured’s claim. Organizations that refuse to take “no” for an answer may be able to secure valuable coverage if they effectively pursue their claim.
Roberta D. Anderson is director at Cohen & Grigsby P.C. in Pittsburgh. She can be reached at 412-297-4794 or firstname.lastname@example.org.