Insurance coverage options before ransomware attacks
In the case of a ransomware attack, insurers and insureds need to understand which party decides whether such payments are to be made.
Computer systems everywhere have become the targets of ransomware attacks in recent years. Ransomware is a form of “malware” (malicious software that gets installed on a computer without the user’s consent and is harmful to the computer) in which the access to important data and computer systems are locked or encrypted unless the victim agrees to pay a ransom to regain access to the affected computer system or data. AIG announced in May 2018 that of all the cyber claims it received in 2017, ransomware was the largest cause of loss, making up 26% of the cyber claims that it received that year. By comparison, the next largest cause of loss was data breaches caused by hackers, at 12% of all claims received.
The decision regarding payment of a ransomware demand is a complex one, which becomes even more layered when there is coverage for the loss. This article examines some of the issues faced by insurers and insureds in dealing with a ransomware attack and provides guidance for evaluating insurance coverage options.
Recent ransomware attacks against municipalities
The targets of ransomware attacks are forced to confront a difficult and consequential decision: whether to pay the ransom that is demanded, or whether to refuse to pay in favor of working around the problem. Indeed, the U.S. government doesn’t encourage payment of ransom. Payment of a ransomware demand may not lead to release of the seized system back to the impacted user and may lead to further attacks. As a recent example of payment and further attacks, according to reports, in March 2019 the court system of Jackson County, Georgia, paid attackers $400,000. A few months later, in June 2019, the Administrative Office of the Georgia Courts was the victim of another ransomware attack. Currently, this latest attack is still ongoing so the ultimate outcome is not known.
Conversely, not paying the ransom can sometimes be even more costly — both in terms of the costs to restore service as well as the cost of having operations interrupted for an extended period of time.
Related: City shakedown: How a targeted attack left a local government in a cyber fix
To illustrate the costs of this difficult decision, in mid-2019, two municipalities took two different approaches to the question of payment of ransom. One widely reported ransomware attack in May 2019 affected the city of Baltimore’s servers, blocking access to important municipal services, and preventing city employees from accessing emails. Baltimore’s city government refused to pay the ransom that the hackers demanded (13 bitcoins, which at the time was the equivalent of approximately $76,000), and the impact from the attack is still ongoing months later.
Baltimore was forced to contract with a series of experts to assist in restoring systems that were disrupted by the attack. According to news reports, the city estimates that the attack will cost at least $18.2 million (a combination of both lost or delayed revenue and direct costs to restore the city’s systems), substantially more than the $76,000 that was sought in ransom payments. Further, according to reports, Baltimore was not insured for this loss.
Conversely, in June 2019, Lake City, Florida, reportedly agreed to pay ransom to hackers to regain access to its municipal computer systems two-weeks after systems were disrupted. According to news reports, Lake City did have ransomware coverage. Once the request for ransom was received by the city it was sent to the city’s insurer. The insurer then began negotiating directly with the hackers. The ransom payment still required approval by the city council, which voted to approve the payment. Presumably, because of the required vote of the city council, the policy at issue allowed payment for ransomware demands but only with the consent of the insured. According news reports, Lake City and its insurer agreed to pay the ransom that was demanded: 42 bitcoins, the equivalent at the time of $460,000. The payment was covered entirely by the insurer, except for a $10,000 deductible, which the city was required to pay itself.
Insurance options
The options for cyber-insurance, specifically for ransomware coverage, vary among insurers. Such policies may provide reimbursement for ransom payments made in response to a ransomware attack, as well as the costs to conduct a forensic investigation to determine the validity, cause and scope of the cyber threat, or reimburse or make ransomware payments. A ransomware policy may also cover the costs to evaluate the system post- attack to identify vulnerabilities, however, insurers will typically not cover the costs of upgrading the system.
As to the issue of whether to pay a demanded ransom, it’s important for insurers and insureds to understand which party decides whether such payments are to be made. Different insurance policies have taken different approaches. Some explicitly require the insured’s consent to any ransom payment. Conversely, some policies allow the insured to control the decision, subject to the insurer’s consent. The important takeaway is that because the decision as to whether to make a ransom payment or not is controlled by different factors, many of which are weighed differently by insurers and insureds, it is in the best interests of both insurers and insureds to delineate the powers of decision-making at the inception of the policy to avoid conflict should a payment become necessary.
As ransomware attacks continue to spread, insurance companies and their insureds need to be aware of the increasing risk that such attacks pose and the policy-solutions for how to deal with them before the attacks occur to avoid conflict.
Eric B. Stern (estern@kdvlaw.com) is a partner and co-chair of the Data Privacy & Cybersecurity Practice at Kaufman Dolowich & Voluck LLP. Andrew A. Lipkowitz (alipkowitz@kdvlaw.com) is an associate at Kaufman Dolowich & Voluck who primarily focuses his practice in insurance coverage litigation and monitoring.
Read more: