It would not be an exaggeration that one-third of the conversations that I have had with professionals on insurance coverage matters over the past year or so have included in some fashion the issue of cyber liability. In particular, the subject of ransomware has been more and more the focus of these discussions with such claims on the dramatic rise, and perpetrators focusing their attention on attorneys, education professionals, architects/engineers, and those working with financial institutions. While I have written about cyber liability insurance and related case decisions in the past, I thought it useful to do so now with a focus on professionals being the subject of ransomware claims.
Ransomware is a form of cyber kidnapping where malware (a computer virus) prevents users from accessing files on their computer, and threatens permanent encryption or deletion of that data if a ransom is not paid. The ransom demand is usually a “nuisance” amount so the decision to pay is perceived to be the only practical option to get the data restored. (I’ve seen reports where the average demand is $1000 with some of the more high profile institutional claims in 2016 ranging from $17,000 to $73,000).
It is important to note that cyber insurance policies are typically non-standardized, and could provide for expenses incurred by an insured professional (first party) or claims made by third-party for alleged damages. Ransomware claims arising out of activities typically fall within the “extortion” coverage part of a cyber liability policy that may not be contained in the base policy and may need to be purchased separately. There are several considerations a professional should keep in mind when purchasing such insurance.
To begin with, the extortion coverage is usually a sub-limit of the policy or, in other words, an amount that is less than the entire cyber policy limit of liability. Moreover, the ransom demand as noted above is an amount designed lead to a quick payment, and could fall within the deductible that a professional insured is obligated to pay before an insurer is obligated to do so. Thus, any extortion coverage should have a limit that a professional determines to meet his or her industry needs, and the deductible should be at an amount that a professional insured could afford to pay. (I would note that I have seen extortion coverages that have a lower deductible than the regular policy deductible, and this is something that could be explored as well.)
With this in mind, many extortion coverages contain unique conditions to coverage and, if not met, could vitiate an insurer’s obligation to pay. For example, an insurer could require a professional insured to provide notice of a ransomware claim within a certain time frame, anywhere from immediately to 30 days, and such notice may need to demonstrate an effort not to pay or at least negotiate the demand. In connection with the latter, I would certainly recommend coordinating such efforts with the insurer since such negotiation could lead to other damages complying with this “negotiation” insurance condition. Additionally, insurers could require the extortion threat to be credible, and often reserve the right to cancel the cyber extortion coverage or deny a claim if the perpetrator learns of the availability of such insurance coverage. Finally, some policies actually exclude coverage for certain types of ransomware, such as CTB-Locker or TesleCrypt.
Cyber liability policies are a critical part of a professional’s risk management of its cyber exposure, including ransomware where the need for extortion coverage should be considered since reported attacks have skyrocketing in the last couple of years with one insurer reporting that, in July and August of 2016, it had as many extortion claims as it did in all of 2015. This discussion is designed to assist a professional to purchase a cyber policy that is reasonably tailored to the extent possible to best meet his or her needs.
All information provided in this blog is for informational purposes only. The sources used are presumed accurate. Lancer Claims Services, Brown & Brown Program Insurance Services, Inc. and Brown & Brown, Inc. will not be liable for any errors, omissions, losses, injuries or damages arising from its display or use and will not assume responsibility for any misguided information. No guarantees are implied.