Colonial Pipeline hack: How a cyber policy may have responded
New reports indicate that Colonial did have cyber insurance, but how does a cyber policy work in the event of a cyberattack?
Contradictory to earlier claims that Colonial Pipeline had no intention of paying an extortion fee to restore operations, Bloomberg reported that the company paid nearly $5 million to Eastern European hackers on May 7, according to people familiar with the transaction.
Did a cyber insurance policy save Colonial Pipeline from the expenses of paying the ransom? According to Reuters, sources told the news organization that Colonial had cyber policies arranged by Aon with AXA XL and Beazley.
Depending on the various provisions of the company’s policies, the following explains how cyber insurance could have responded to the Colonial hack and can help other businesses facing a cyberattack.
How a cyber policy can work
First, with a cyber policy in effect, the insurer would likely have stepped in at the onset of the time the company first discovered their system had been breached or when the company received a cyber extortion threat, whichever came first. The insurer would have assisted the company in responding to the public and to the extortionists (threat agents).
Any expense incurred as a result of the cyber incident as defined in the applicable policy should be covered by the insurer. This would include such things as investigative costs for determining the cause, scope and extent of the security breach and to identify affected parties; costs for legal fees or other professional advice on responding to the security breach; costs to notify affected parties; overtime salaries necessary for employees handling inquiries as to the security breach; call center costs if hired by the insured for handling inquiries from those parties affected by the security breach; and costs to provide credit and identity theft monitoring to affected parties for at least a year. Other expenses may be covered if approved by the insurer.
Extortion threat expenses might include such things as hiring a security firm or other organization to determine the validity and severity of the extortion threat, including interest costs if the insured had to get a loan to pay a ransom demand; any reward payments if the insured pays an informant if it leads to the arrest and conviction of the threat actors; or any other reasonable fees or costs such as those of independent negotiators or security firms hired by the insured to determine how to protect the system from further threats. Covered extortion expenses should include ransom payments the company has to make in the form of cash or cryptocurrency, such as bitcoin.
A cyber policy should also cover the replacement or restoration of the electronic data on the computer systems or computer programs from the cyber incident, as long as it is discovered within the policy period. If such restoration requires reprogramming or consultation services, the policy should also cover those costs.
Business income and extra expense as a direct result of the covered cyber incident or extortion threat may be covered for the period of restoration as defined in the policy, perhaps subject to a waiting period before coverage begins. The best way to determine if this coverage would be provided is to ask whether the loss or expense is only because of the cyber incident or extortion threat. Expenses to add new employees or costs to upgrade or repair the systems would not be covered unless required due to the cyber incident or threat extortion to keep the company operational.
Based on news surrounding the hack, it is clear that Colonial Pipeline has had public relations expenses. These would include costs of a public relations firm to protect or restore the company’s reputation solely in response to negative publicity the company received from the cyber incident. These expenses would be covered under a good cyber policy.
The liability insuring agreements will likely be on a claims-made and discovery basis, covering claims when the insured first discovers and reports the cyber incident within the policy period or extended reporting period.
Concerning security breach liability, loss and defense expenses should be covered due to a regulatory proceeding, with the insurer having the right to select defense counsel and make settlements with the insured’s consent. A loss might include compensatory damages, settlement amounts for judgments or settlements, and punitive or exemplary damages if insurable by law. A regulatory proceeding would be one brought by or on behalf of the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), or another regulatory capacity.
Some of the coverages provided may be covered as sub-limits subject to the policy’s aggregate limit. There may be a separate sub-limit for ransom payments, business income and extra expense, or public relations expense.
It is common for a deductible to apply, and as with every policy, there will be certain exclusions to coverage.
By and large, it’s quite reasonable to assume that any amount of premium the company may have had to pay would not be near the $5 million ransom payment. We can’t say for certain that the company had all of these coverages in effect, but there’s no doubt that having cyber insurance was a good move on their part in this situation.
Related: