Like a fire, earthquake, or any other calamity, ransomware can devastate a business with no advance warning. Fortunately, as with most other disasters, enterprises that fall victim to a ransomware attack can turn to insurance to recover some or all of their stolen financial losses.
Given the rising frequency of attacks, it's not surprising that ransomware insurance sales are skyrocketing, said Mike Morris, managing director, cyber and strategic risk, at business and technology consulting firm Deloitte. "Ransomware insurance can be extremely effective when thoroughly analyzed to ensure that coverage is sufficient in the event an attack occurs," he noted. "It's critical to understand the fine print in the policy to ensure that at the moment of crisis, restoration is possible as fully and quickly as possible."
How It Works
Ransomware insurance is like any other type of cyber insurance. "Cyber insurance is about assessing the cyber risk, determining the potential losses due to attacks, and then obtaining coverage," said Bhavani Thuraisingham, a professor at the University of Texas at Dallas, as well as the executive director of the university’s Cyber Security Research and Education Institute. The unique challenge with ransomware is that once an attacker gets into the system, they have access to everything within. "[They aren't] just stealing your data but crippling your system by encrypting all of the data and files so that you can't have access unless you pay them a ransom," she explained. "It's like someone breaking into your house and stealing your jewelry, but also kidnapping your child and demanding a ransom," Thuraisingham quipped.
Ransomware insurance is generally sold along with, or in addition to, a general cyber insurance policy. The appropriate cyber liability insurance policy depends primarily on the applicant's industry and operations, observed Jack Dowd an account executive at insurance provider The Dowd Agencies. "Essentially, any business that handles customer information can benefit from the service," he said.
Cyber insurance is available in several different forms. "One type focuses on first-party responses and covers legal and related services to identify an actual breach and costs associated with regulatory compliance in the event of a breach," Dowd said. "This insurance also addresses the response to immediate customer needs, such as credit monitoring and educating customers about the breach." Crisis management and public relations expenses are typically included as well, as are expenses for business interruption and costs for additional labor associated with a claim, he added.
Another type of ransomware insurance addresses third-party defense and liability issues. "Such a policy may cover settlements or judgments that a victimized enterprise is responsible for due to a data breach, and may produce liability coverage for electronic media, which could include copyright infringement, network security, and privacy liability issues, Dowd explained.
Shopping for Coverage
Before committing to any particular type of ransomware insurance coverage, it's important to examine the policy closely, preferably with an attorney's assistance. "This includes the coverage amounts, including specific sub-limits for ransom payments [and] how the policy defines a covered event," said Michael Pisano, managing director and insurance industry internal audit leader at global consulting firm Protiviti.
It’s important to understand the types of events and losses a policy will cover, as well as what' s excluded. "As such, the organization’s risk management leadership should work with a qualified insurance broker to review and consider different options before purchasing coverage," Pisano said.
The best way to shop for ransomware insurance, Morris advised, is to work with an agent or broker to analyze policies offered by several insurance companies. "At minimum, make sure insurance coverage includes data restoration and loss of encrypted data, repayment of ransom demands, as well as coverage for any regulatory actions from federal agencies, state, or local government," he said. "Understanding policy exclusions and standards is key as well."
An Unintentional Incentive?
There's currently a major debate raging within the security industry as to whether providing coverage for ransom payments unintentionally incentivizes ransomware attacks. Pisano noted that cyber criminals have been known to specifically target enterprises they believe, or have reason to suppose, are covered by ransomware insurance. Such organizations, the attackers hope, will be more likely to agree to a rapid financial settlement.
Pisano observed that insurers are beginning to catch on to this trend. "In fact, some companies have started to exclude ransom from their cyber covers, though I haven’t heard of many doing so yet," he said.
Like any insurance policy, ransomware policies frequently limit how much ransom an insurer will cover, as well as other requirements to cover claims. "For example, some policies require insurer approval before paying ransoms in order for a claim to be covered," Pisano noted.
Prevention is the best way to avoid the financial damage a ransomware attack can inflict. Thuraisingham compared the challenge to an individual protecting his or her health. "We want to lead a healthy life so that we don't fall sick," she said. "Similarly, you should protect all of your systems, data, and processes so that the attackers cannot get in," Thuraisingham advised. "I cannot overemphasize proper backup procedures," she stated. "This is crucial."