Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. While a ransom attack is not considered a data breach, or an incident that needs to be reported, as of late there have been many reported ransom attacks making the headlines. In recent weeks, most of these ransom attacks (at least the ones we know about) seem to be targeting hospitals. A ransomware attack could hit any business, organization and even individuals at any time, and usually with no advance notice. One doesn’t know they’re a victim until they can’t access their data or networks, and are being required to pay a ransom or risk the chance of losing access to their data, forever.
Ransom attacks are a big problem today, especially for healthcare organizations, and expose hospitals to many new risks. Most hospitals today, are completely reliant on electronic health records and lack paper records for all admitted patients, which exposes the hospital’s patients to diminished health care, and an increase in patient care errors. Furthermore, if a hospital chooses not to pay, it could lead to an increase in patient deaths due to the inability to access the hospital’s patient electronic health records system in critical moments. Indeed, the hospital system is now faced with very challenging times, at very challenging moments when individuals are in need of very sensitive care and the hospital’s computer system is not functioning. This exposes the hospital system to a great deal of liability, and nonetheless diminished healthcare for patients when it is most needed.
Cyber Insurance May or May Not Cover a Ransom Attack
Not every business has the same network security and privacy risks, which means that cyber insurance policies can vary greatly by industry, business operations and the types of data you may or may not collect. Ransom attacks would fall under a cyber insurance policy’s “cyber extortion” coverage, and depending on the cyber insurance policy a company already has or is exploring, this “first-party” coverage may or may not be covered. Some cyber insurance policies offer both “first-party” and “third-party” coverage, while many policies offer “third-party” coverages only. For those companies that have “third-party” coverages only, they will find themselves uninsured in the event of a ransom attack. Considering that ransom attacks are escalating, and not going away, not having “cyber extortion” coverage is a bad idea.
When submitting a ransom attack claim under a cyber insurance policy that offers cyber extortion coverage, there are strict requirements that the cyber insurance policyholder must follow, and one misstep can leave the company uninsured. First off, the company is responsible for paying the policy’s retention (“aka” policy deductible) before any coverage will apply. Oftentimes, the policy’s retention will be higher than the ransom amount, leaving the company uninsured being that the ransom is under the policy retention. Though depending upon the cyber insurance policy, in some instances, no retention applies to reward payments.
What Cyber Extortion Costs are Covered?
While all cyber insurance policy “cyber extortion” coverages are different, and the coverage wordings vary, one cyber insurance policy in particular defines “cyber extortion” costs as:
- the ransom paid or, if the demand is for goods or services, the fair market value at the time of surrender; and
- the reasonable and necessary fees and expenses incurred by a representative appointed by us to provide you with assistance,
Provided you (the policyholder) can demonstrate:
- the ransom has been surrendered under duress; and
- before agreeing to its payment you have made all reasonable efforts to:
- determine the threat is genuine and not a hoax; and
- ensure at least one executive has agreed to the payment of the ransom.
When Must a Cyber Insurance Policy Holder Notify the Insurer of a Cyber Extortion Threat?
It all depends on the cyber insurance policy in hand. Notification times greatly vary when notifying the insurer about a ransom attack. Some policies require the policyholder to notify the insurer immediately, while others state that the policy holder must notify the insurer as soon as practicable, but no later than thirty (30) days after becoming aware of such Cyber Extortion Threat. In any event, the Insured Organization is required to take all steps reasonable and practical to avoid or limit the payment of an extortion. Some cyber insurance policies even go as far as stating that in the event that the party that is demanding the ransom learns there is a cyber insurance policy, the claim will not be covered.
How to Minimize and Counter a Ransom Attack
Nonetheless, there are steps a company can take to minimize its risks of a ransom attack. The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), just released this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.
US-CERT recommends that users and administrators take the following preventive measures to protect their computer networks from ransomware infection:
- Employ a data backup and recovery plan for all critical information. Perform and test regular backups to limit the impact of data or system loss and to expedite the recovery process. Ideally, this data should be kept on a separate device, and backups should be stored offline.
- Use application whitelisting to help prevent malicious software and unapproved programs from running. Application whitelisting is one of the best security strategies as it allows only specified programs to run, while blocking all others, including malicious software.
- Keep your operating system and software up-to-date with the latest patches. Vulnerable applications and operating systems are the target of most attacks. Ensuring these are patched with the latest updates greatly reduces the number of exploitable entry points available to an attacker.
- Maintain up-to-date anti-virus software, and scan all software downloaded from the internet prior to executing.
- Restrict users’ ability (permissions) to install and run unwanted software applications, and apply the principle of “Least Privilege” to all systems and services. Restricting these privileges may prevent malware from running or limit its capability to spread through the network.
- Avoid enabling macros from email attachments. If a user opens the attachment and enables macros, embedded code will execute the malware on the machine. For enterprises or organizations, it may be best to block email messages with attachments from suspicious sources.
- Do not follow unsolicited Web links in emails. Refer to the US-CERT Security Tip on Avoiding Social Engineering and Phishing Attacks for more information.
The US-CERT alert states that individuals or organizations are discouraged from paying the ransom, as this does not guarantee files will be released and to report instances of fraud to the FBI at the Internet Crime Complaint Center.
Cyber Extortion Threats are Leading to an Increase in Cyber Insurance Demand
What has become one of the most important risks to cover, has become the most important process a company has to get right from the start, and right up to the anticipated insurance claim. From assessing and identifying cyber risks and aligning them to cyber insurance coverages, preparing for the cyber insurance underwriting process, enduring the underwriting process, and navigating the plethora of non-standard cyber insurance policy offerings – these and more are what a company is up against when purchasing a cyber insurance policy.
This is why it is crucial to work with an experienced cyber insurance broker who can assist and help guide the company through this complex process.
For help with your company’s cyber insurance, please complete our cyber insurance quote request form or give us a call.