Asking the Right Questions – Ransomware Edition

Use the following 7 questions to assess if and how your cyber insurance policy covers ransomware

Cyber insurance buyers want to know if ransomware is covered under their insurance policy. This may seem like a straight forward question to ask, however, it isn’t.

You see, two cyber insurance policies may contain a Cyber Extortion or Threat clause, yet their response to ransomware could be completely different. Ransomware attacks happen so frequently and are very costly; you’ll want to ensure you’re getting the full-sized meal, not just the fries!

“Does my cyber policy cover ransomware?” is a difficult question to answer because with cyber insurance, the peril isn’t usually the issue, the associated loss is. Most stand-alone cyber policies will cover ransomware as a peril. However, not all policies will offer all the coverages necessary to cover the losses associated with a ransomware attack.

A ransomware example: 

When a ransomware attack hits, the malicious software enters a computer system. It may hold your data or your entire system for ransom. Then, the attacker will likely demand a bitcoin payment in exchange for releasing the data or returning access to the computer system.

As soon as the event happens, a breach coach should be engaged to assist you in dealing with the incident. Every ransomware attack is different, and therefore an expert should be engaged to navigate through negotiations to attain the best possible outcome.

Evaluating coverage

Let’s evaluate coverage by examining the potential costs and losses associated with the ransomware event. Rather than asking if ransomware is covered, consider asking the following ransomware questions:

1. What is the breach coach deductible on the policy? 

Ideally, the breach coach deductible is Nil, as the breach coach should be brought in immediately. Depending on the policy, a deductible may apply, which means you’re on the hook for that specified amount.

2. Are extortion payments covered under the policy? What is the limit? Will the insurer assist with facilitating the payment?

Paying an extortion demand is a complicated matter, and every situation is different. The victim may decide to pay, or can refuse to pay and restore from back-ups, depending on many factors. What if you have to pay in bitcoin? Make sure that extortion payments are covered and that the policy assists in setting up an account/facilitating the payment.

3. Where is the forensic investigation coverage under this policy, and what is the limit?

As soon as a third party infiltrates your systems, the question becomes, what data have they accessed, and what is the sensitivity level of that data? Often, an IT forensic investigator is hired to get to the bottom of that. You should know that their fees are typically higher than lawyers’ fees.

4. Is business interruption covered under the policy? What is the time deductible/waiting period (or both), and what is the indemnity period? Is coverage afforded for a forensic accountant to sort out the expected income for that period?

What if the systems were down for days during the time it took to sort out the incident? If the victim is unable to operate at their full capacity throughout this period, business interruption loss becomes a consideration.

5. Are notifications covered in any form? Is there coverage to set up a call center? Are PR costs covered?

If it turns out that sensitive data was breached during the ransomware attack, there will be costs for notifications to all those affected. Depending on the number of records breached or the size of the business, a call center may need to be set up to deal with queries and engage a PR expert to assist with messaging.

6. Is data restoration covered? Is the cost to recreate data covered? Does this include overtime costs of employees recreating the data?

Imagine the victim is about to restore their systems from older back-ups rather than paying the extortion demand. Or maybe, the demand is paid, but data is lost because the attacker didn’t keep his word… now the victim has to pay to restore or recreate their data. Working to restore the data is one thing; paying to recreate the data can get very costly.

7. What is the trigger for first and third party coverages? Are there any exclusions relating to how the computer system is compromised? Any warranties relating to system maintenance?

Finally, if you want to know whether ransomware, the peril, is covered under your cyber policy, consider asking the question above. You’ll want to know that ransomware should be a covered trigger for both first- and third- party coverages. Note that ransomware is a type of malware, which is usually the term noted on the policy.

Ultimately, you’ll find the majority of the answers to these 7 ransomware questions in the policy wording. You don’t necessarily have to avoid peril-based questions when asking about the policy but do keep in mind that the losses, rather than the perils, are the driver of cyber coverage. And remember, your broker and underwriter are always there to give you a hand!

Want to learn more about Cyber Insurance?

Sign up to view free preview lessons in the Cyber 101 course.

Share on facebook
Share on twitter
Share on linkedin

Sign up for Cyber Insurance 101

Best Seller
1.5 Hours

Cyber Insurance 101


Understand the fundamentals of Cyber Insurance: how and why privacy and security breaches create exposures for companies,  what coverage is available under Cyber Insurance and how to compare coverage between policies. This course also includes a comprehensive coverage analysis guide.