Cyber insurance policies have been in existence for about twenty years but have really developed over the past ten years. The primary purpose of these policies was initially to cover liability resulting from a data breach as well as reimbursement of notification costs tied to the breach.
Although liability protection and data breach response costs are still major components of cyber insurance policies, recent years have led to broader policies that cover other types of claims such as extortion attacks, cyber related business interruption events, and funds transfer fraud resulting from social engineering attacks.
One emerging trend we have seen is a large rise in extortion or ransomware attacks. In a ransomware attack, a hacker sends a fake or fraudulent email to an unsuspecting employee within a company. Typically, the hacker will pretend to be a fellow employee (such as a CEO or CFO) or a client to disguise the attack. The email will include an attachment or file that looks legitimate and contains malware.
Once the employee clicks on the link, the hacker is able to gain access to the company’s network and will then encrypt sensitive systems or data. At this point, the company could have its day to day operations crippled.
For example, a manufacturer relying on IT systems to produce inventory may wake up to find its production equipment completely shut down and unable to manufacture product. A law firm may come into the office and realize they are unable to access case files or client information because these files have been encrypted.
At this point, the hacker will demand a ransom payment to unlock the systems or data. The ransom demand is usually made in Bitcoin or another form of cryptocurrency that is difficult to trace.
In a situation this fall, we had a client who was hit by one of these attacks and faced a Bitcoin ransom demand of over $1,000,000. With help from the insurance company and a third party negotiating firm, the ransom demand was negotiated down to a much lower amount and the company agreed to pay the ransom. When adding in the costs of using third party firms to deal with the incident, the overall cost to the company was sizeable.
A cyber insurance policy is key to responding to this type of attack as it offers a range of resources and protection to the business facing the attack.
The primary benefit of the company’s cyber policy is reimbursing the cost of the ransom payment and other ancillary expenses made in resolving the incident.
The secondary benefits are often just as important. These include the step by step guidance provided by the insurance company and its approved vendors for how to respond to the incident. A quick response can get the company back up and running quickly with as little impact to operations and ultimately the organization’s financials as possible.
As part of the policy, the insurance company and the negotiating firm are in place to handle the ransom negotiation and ultimately the payment. The third party negotiating firms used by the insurance companies face these types of negotiations on a daily basis and know the criminal organizations they are dealing with.
The policy also provides access to a panel of law firms specializing in cyber litigation. This is critical as it gives the company an outlet to determine if they face any legal liability or legal duty to notify affected customers or clients.
In addition, the policy can give the company access to a panel of vetted IT and forensics firms. These firms can be used to determine how the organization was breached and how systems and policies can be strengthened to avoid a similar attack in the future.
In the claim mentioned above, these resources and third party firms helped save the company hundreds of thousands of dollars and got the company back up and running quickly.
In summary, we have found all companies and organizations are vulnerable to these types of claims. In fact, smaller businesses and organizations are often more susceptible to these types of attacks as they typically do not spend the same level of resources on cybersecurity or training as large organizations.
If you have questions or would like to discuss cyber insurance in more detail, please reach out to a risk advisor at Simpson & McCrady to set up a time for a conversation.
To learn more, check out our previous summary on trends that we are seeing in the cyber insurance space. The article includes best practices and tips that you can utilize to strengthen your personal and/or corporate cybersecurity practices.
Disclaimer: This is a general overview of commercial cyber insurance. Coverage is determined based on the details surrounding a claim and are dependent on the limits, deductibles, terms, conditions, and exclusions of the policy.