Cyber insurance policies typically have a deductible. For example, a client could select a $100,000 deductible for their policy.
Law firms coordinating breach response continued to help victims cloak communication with criminal enterprises on the darknet and ransom bargaining under the client-attorney privilege.
However, the risk of being tracked by law enforcement kept ransom demands low.
Coverage for a variety of ransomware scenarios
The insurance industry rallied quickly to understand the ransomware threat and develop products to mitigate it. However, the low take-up of cyber insurance, even when offered free to insureds, means that more is needed to minimize the overall effect of ransomware attacks on business operations. Unsurprisingly, as a result, more businesses are looking at ransomware cyber insurance, which pays out ransomware settlement to the attackers and covers specific types of losses from a cyberattack. However, experts like Fortinet advise against paying a ransomware settlement. Moreover, insurers’ reliance on the duty to mitigate can lead to dubious outcomes. For example, one sample ransom note asked victims to send the attacker their policy details so that they could demand the total limits on their coverage. This request violates the insurance policy’s duty to mitigate because it involves sharing sensitive information with the hacker, likely leading to protracted negotiations that will delay claim payments.
Additionally, the anecdotal evidence that ransomware gangs preferentially target insured organizations raises concerns about third-party moral hazard. By encouraging organizations to pay ransom demands, cyber insurance undermines law enforcement’s ability to prosecute extortion crimes and may increase the risk of a breach that exposes customer data.
While the hardening of the cyber insurance market has helped to raise cyber security standards among prospective insureds, those higher standards are only available to insureds who seek the benefits of the market. It remains to be seen whether greater penetration of the cyber insurance market will also result in more favorable terms and conditions for those businesses that choose to remain uninsured.
Coverage for data recovery
Cyber insurance has several features that make it a valuable tool in negotiating ransom demands. First, it gives companies a credible financial incentive not to pay the ransom. This leverage is significant when companies have multiple backups that they can restore.
Second, many cyber policies provide coverage for the costs of data recovery. This helps companies avoid paying a ransom and allows them to continue operating after an attack.
Finally, many cyber policies include breach response services, which can help mitigate extortion attacks and other cybersecurity threats. These services can also help businesses improve their security and resilience against future attacks.
While insurers are not eager to reveal details about their products, they can provide insights into how they respond to a ransomware crisis. For example, they may offer a “ransomware-settlement-as-a-service” that includes communicating with criminal enterprises on the darknet and bartering down ransoms. This approach aims to limit third-party moral hazard by reducing the returns on crime.
However, it may come with its problems. For example, it might lead to a mismatch between customers’ potential losses and the limits of their cyber policies. This imbalance was already evident in the litigation over their USD 1 billion loss. As a result, policymakers must ensure that the terms of cyber insurance adequately reflect the potential size of customer losses.
Coverage for business interruption
Cyber insurance can be leveraged to help resolve the situation of a company that has been attacked by ransomware. Interviewees described how their insurers would mediate payments to extortionists so that the business could recover and resume operations while maintaining the confidentiality of sensitive information (e.g., customer lists). The mediating role of the insurer is also important because it enables the insured to avoid public disclosures that could jeopardize its coverage under other types of insurance.
Despite controversies over whether paying a ransom may encourage or fuel the escalation of cyber attacks, interviewees felt that their insurance policies provided meaningful value in dealing with these incidents. Insureds viewed cyber insurance as a way to mitigate the impact of the attacks by providing them with access to third-party services, helping them resume operations, and providing them with coverage for lost income.
Interviewees also noted that the recent hardening of the cyber insurance market had forced them to raise their cybersecurity standards to qualify for coverage. Insurers have demanded a greater understanding of customers’ potential losses and are offering higher policy limits than the limit provided by traditional property and liability policies. This shift in policy terms has disrupted the balance between customers’ potential losses and the level of risk that they feel comfortable taking by purchasing cyber insurance.
Coverage for cyber extortion
Cyber extortion is an increasingly common aspect of ransomware attacks. It involves criminals blocking victims from accessing their data and demanding payment to regain control. It raises interesting questions, including whether or not it is legal to pay a ransom demand and what types of insurance policies might cover such payments.
As a result, cyber insurers are working hard to keep up with this new threat. They are adapting their policies to include coverage for extortion threats, reworking their underwriting requirements, and adding new tools like cyber extortion sub-limits.
This is in addition to traditional cyber insurance policies that cover the cost of forensic IT services, making up lost revenue during business interruption, notifying affected third parties of a data breach, and more. Many cyber insurers also require their clients to have robust incident response plans and follow best practices. This will help them make their businesses “good risks” that they can trust to take the proper steps in a crisis and mitigate the risk of paying a ransom demand.
Unfortunately, even the best-prepared companies can be in the middle of a ransomware crisis. And the way the insurance industry reacts to the challenges presented by extortion, it’s not clear that it will be possible to balance the needs of policyholders, cyber criminals, and law enforcement.