Asking the Right Questions – Ransomware Edition

Use the following 7 questions to assess if and how your cyber insurance policy covers ransomware

Cyber insurance buyers want to know if ransomware is covered under their insurance policy. This may seem like a straight forward question to ask, however, it isn’t.

You see, two cyber insurance policies may contain a Cyber Extortion or Threat clause, yet their response to ransomware could be completely different. Ransomware attacks happen so frequently and are very costly; you’ll want to ensure you’re getting the full-sized meal, not just the fries!

“Does my cyber insurance policy cover ransomware?” is a difficult question to answer because with cyber insurance, the peril isn’t usually the issue, the associated loss is. Most stand-alone cyber policies will cover ransomware as a peril. However, not all policies will offer all the coverages necessary to cover the losses associated with a ransomware attack.

A ransomware example: 

When a ransomware attack hits, the malicious software enters a computer system. It may hold your data or your entire system for ransom. Then, the attacker will likely demand a bitcoin payment in exchange for releasing the data or returning access to the computer system.

As soon as the event happens, engage a breach coach to assist you in dealing with the incident. Every ransomware attack is different, and therefore you should engage an expert to help navigate through negotiations to attain the best possible outcome.

Evaluating coverage

Let’s evaluate coverage by examining the potential costs and losses associated with the ransomware event. Rather than asking if a cyber insurance policy covers ransomware, consider asking the following ransomware questions:

1. What is the breach coach deductible on the policy? 

Ideally, the breach coach deductible is Nil, as the breach coach should be brought in immediately. Depending on the policy, a deductible may apply, which means you’re on the hook for that specified amount.

2. Does the policy cover extortion payments? What is the limit? Will the insurance company assist with facilitating the payment?

Paying a ransomware extortion demand is a complicated matter, and every situation is different. The victim may decide to pay, or can refuse to pay and restore from back-ups, depending on many factors. What if you have to pay in bitcoin? Make sure that the insurance policy covers extortion payments and assists in setting up an account/facilitating the payment.

3. Where is the forensic investigation coverage under this policy, and what is the limit?

As soon as a third party infiltrates your systems, the question becomes, what data have they accessed, and what is the sensitivity level of that data? Often, the victim organization will hire an IT forensic investigator to get to the bottom of that. You should know that their fees are typically higher than lawyers’ fees.

4. Does the policy cover business interruption? What is the time deductible/waiting period (or both), and what is the indemnity period? Does the policy provide coverage for a forensic accountant to sort out the expected income for that period?

What if the systems were down for days during the time it took to sort out the incident? If the ransomware victim is unable to operate at their full capacity throughout this period, business interruption loss becomes a consideration.

5. Are notifications covered in any form? Is there coverage to set up a call center? Are PR costs covered?

If it turns out that the attacker breached sensitive data during the ransomware attack, the victim will incur costs for notifying all those affected. Depending on the number of records breached or the size of the business, you may need to set up a call center to deal with queries and engage a PR expert to assist with messaging.

6. Does the insurance cover data restoration? Is the cost to recreate data covered? Does this include overtime costs of employees recreating the data?

Imagine the victim is about to restore their systems from older backups rather than paying the extortion demand. Or maybe, they’ve paid the demand, but lost data because the attacker didn’t keep his word… now the victim has to pay to restore or recreate their data. Working to restore the data is one thing; paying to recreate the data can get very costly.

7. What is the trigger for first- and third-party insurance coverages? Are there any exclusions relating to how the computer system is compromised? Any warranties relating to system maintenance?

If you want to know whether your cyber insurance policy covers ransomware, the peril, consider asking the questions above. You’ll want to ensure that ransomware is be a covered trigger for both first- and third- party coverages. Note that, as ransomware is a type of malware, that is usually the term used on the policy.

Ultimately, you’ll find the majority of the answers to these 7 questions in the insurance policy wording. You don’t necessarily have to avoid peril-based questions when asking about the policy but do keep in mind that the losses, rather than the perils, are the driver for cyber coverage. And remember, your broker and underwriter are always there to give you a hand!

Want to learn more about Cyber Insurance?

Sign up to view free preview lessons in the Cyber 101 course.

Take the course
Cyber Insurance
Best Seller
1.5 Hours

Cyber Insurance 101

Take the course! Learn the fundamentals of Cyber Insurance. Discover how and why privacy and security breaches create exposures for companies and what coverage is available.
This is default text for notification bar