Today, businesses of all sizes engaged in a wide variety of ventures routinely maintain cyber-insurance, i.e., insurance coverage to protect against digital threats that challenge computers, data, and online presence. Recently, one form of digital threat, ransomware, has become the most popular type of malicious digital conduct threatening businesses around the world. A growing number of businesses are learning the hard way that basic cyber-insurance does not always provide adequate protection in the event of a ransomware attack. Businesses currently maintaining cyber-insurance should carefully review their coverage to make sure that it addresses ransomware attacks. Businesses that do not currently maintain cyber-insurance should review their operations and consider if some form of cyber-insurance, including ransomware coverage, is appropriate for them.  Alliance Law Group can help your business find an appropriate form of cyber-insurance to meet its needs, and we welcome the opportunity to work with you as you consider the pros and cons of cyber-insurance coverage.

Cyber-insurance traditionally has been viewed as a form of business insurance which focuses on the following key sets of costs associated with computer failures and data security breaches:

  1. Business Interruption;
  2. Data Recovery;
  3. Breach Costs; and
  4. Impact on Dependent Businesses.

Business interruption costs, in this context, are generally those business costs resulting from loss of data, damage to, or loss of, computing devices, and non-functional online presence. Data recovery costs are widely seen to include costs associated with the recovery or reconstruction of business data which may have been stolen, damaged or otherwise corrupted by a computer breach. Breach costs routinely include costs associated with identifying, stopping, and remedying a computer security breach, including the costs associated with providing all notices to interested parties that may be required by law. Cyber-insurance also routinely covers costs incurred by other businesses that are dependent upon the insured businesses which are a direct result of the computer breach.

A growing number of businesses that maintain the traditional form of cyber-insurance outlined above now find that their coverage does not compensate them for the direct costs associated with ransomware attacks. It is important to note that ransomware attacks differ from the traditional computer security breach model. In the traditional model, the hacker steals valuable business data then sells that data for profit. In the ransomware model, the hacker does not steal any data, but instead introduces malware that makes it impossible for the legitimate owner of that data to access or use the data. The hacker demands payment of a ransom in exchange for a code which will unlock the blocked data. Using the ransomware model, the hacker steals nothing and receives compensation through the ransom, not through sale of any stolen property.

A growing number of insured businesses now find that their insurers take a narrow view of the costs covered in the event of a ransomware attack. For example, as ransom payments are technically illegal in some jurisdictions, many cyber-insurers will not compensate their clients if those clients choose to pay a demanded ransom. Additionally, because digital content subject to a ransomware attack is not technically stolen or damaged, some insurers take the position that mere denial of access to data does not constitute data theft or corruption of the sort contemplated by the coverage. In this environment, it is essential that businesses maintaining cyber-insurance coverage review their policies carefully to determine if their current coverage actually covers ransomware attacks, and if it does not, the businesses should coordinate with their insurer to make sure that their coverage is modified to address the threat of ransomware attacks.

Businesses that do not currently maintain cyber-insurance coverage should consider whether the current popularity of ransomware attacks creates a climate in which they may want to consider obtaining such coverage. History suggests that the most attractive targets for ransomware attacks to date have included: hospitals and medical practices, educational institutions, businesses providing financial services, local governments, and businesses that rely on their computer systems for management and control of their daily business operations (e.g., manufacturing, product distribution, etc.). If your business falls within this general profile of targets, you may want to consider particularly carefully the potential value of insurance specifically designed to address the threat of ransomware. It is important to recognize that ransomware attackers do not necessarily find larger organizations to be more attractive targets. Indeed, many of them seem to prefer smaller or mid-size organizations presumably under the theory that those organizations are more likely, given their limited resources, to pay a smaller ransom more quickly in order to gain access to their material sooner.

Alliance Law Group can help you evaluate your cyber business risks and evaluate appropriate cyber-insurance options. We welcome the opportunity to be of assistance.

This article is not intended to provide legal advice. Individual facts and circumstances vary. Accordingly, please consult Alliance Law Group or other legal counsel with respect to issues concerning cyber-insurance and protection against ransomeware.