Ransomware attacks covered under multiple insurance policiesReprints
Insurance for ransomware-related costs is readily available, at least for now, experts say.
While ransom demands to date have been low enough to fall under policy retentions, coverage can be triggered by crisis management and forensics investigation expenses, said Meredith Schnur, Madison, New Jersey-based senior vice president and professional risk national practice leader at Wells Fargo Insurance Services USA Inc.
“This is an area where the role of insurance is increasing,” with insurers offering prequalified vendors in the event an attack does occur, said Erica Davis, New Yorkbased head of specialty products errors and omissions at Zurich North America.
Experts say that in addition to coverage under policyholders’ cyber policies, there may be coverage in business interruption and kidnap and ransom policies.
Historically, coverage for ransomware attacks is sublimited within cyber policy limits, but now policyholders may be able to obtain full limits for the coverage, said Matt Chmel, Chicago-based team leader of Aon Risk Solutions’ professional risk solutions team.
Policy language should be reviewed with a broker, Mr. Chmel advised. There are 67 cyber insurers, “each one with different language and verbiage,” he said.
“You would want to do your homework … and look for the right coverage and the right price, and always be careful of the sublimit,” said Judy Selby, Stamford, Connecticut-based managing director of BDO Consulting’s technology advisory services.
Do not mistakenly assume that because the ransomware demand is low the insurer need not be notified, said Roberta D. Anderson, a partner with K&L Gates L.L.P. in Pittsburgh.
If a company does find itself to be a victim of malware, “one of the first things it should do is notify its cyber insurance carrier,” she said. Otherwise, if it later becomes a much larger claim than initially thought, the policyholder “could end up facing an insurer’s argument that notice was provided late, and therefore there was no coverage,” said Ms. Anderson.
“Follow whatever requirements are in the policy, so you don’t do something in advance of getting any required consent or authorization from the insurance company and put your coverage at risk,” Ms. Selby added.
She also said that firms’ incident response plans “should include the insurance component in there. Whatever other requirements you have in your policy, put that into the incident response plan” so “it doesn’t fall through the cracks when you’re dealing with a crisis.” “The irony, perhaps, of ransomware” is that it has been insured “since the emergence of cyber insurance under the cyber extortion insurance agreement,” said Ben Beeson, Washington-based vice president for cyber security and privacy at Lockton Cos. L.L.C. in Washington.
“It wasn’t thought to be as much of a risk” as network interruption and first-party loss risks, he said.
Clearly, he said, that “is becoming a more relevant part of the insurance policy. At the moment, insurers seem happy to cover it, but what happens when, or if,” they begin to pay out more money on these claims?