It's a nightmare scenario for business owners. Employees log in to their workstations and attempt to access the usual systems, expecting to find customer reports. Instead, they find a message demanding money.
If the business wants to regain access to its software and data, it will have to pay a ransom. Until then, it is locked out. The business has become the latest victim of ransomware.
Ransomware is malicious software that hackers introduce into an organization's computer network to encrypt its data. The hackers hold the data hostage until their demands are met.
Those demands are normally for money, often payable in a crypto-currency such as Bitcoin. The hackers threaten to encrypt the data indefinitely, or even start deleting it, if they do not receive payment.
Ransomware has been around for a decade, but its use has exploded since 2015. Because it was infrequent until recently, insurance coverage for losses resulting from these attacks has not yet been widely purchased.
While cyber insurance has been available for several years, the coverages continue to evolve with the threats they insure against. Also, businesses have been slow to see a need for these policies, resulting in a low level of sales.
Consequently, an organization that becomes a victim of a ransomware attack might find itself uninsured. However, there are two potential avenues for coverage that many organizations already have - directors and officers (D&O) liability insurance and crime insurance.
Kidnap & ransom coverage
These policy types often provide kidnap and ransom (K&R) coverage. This coverage, frequently purchased by multinational corporations, applies to an organization's cost to pay ransoms.
Traditionally, coverage applies only if an "insured person" such as an employee or executive was kidnapped. Such policies would do nothing for the victims of ransomware attacks.
Some insurers are now providing - either deliberately or unintentionally - K&R coverage that applies to ransoms paid in response to cyber extortion. Among the events these policies may consider cyber extortion:
Threats to poison a computer system with malware.
Threats to change, damage, or destroy programs or data stored on a system if the owner does not pay a ransom.
Some insurers who provide K&R coverage did not anticipate covering ransomware losses and have made changes to the policies they sell. For example, some have added deductibles to the coverage, mirroring the terms of cyber policies, while others have capped the amount of business interruption coverage they will provide for cyber extortion losses.
Other insurers have changed their policies to better cover ransomware losses. Some have set up Bitcoin accounts for clients so that ransom payments can be made faster, shortening the length of time a business is incapacitated.
Experts expect the problem to become more urgent. The cost of global ransomware attacks in 2015 was $325 million, but by 2019 it is expected to be more than $11.5 billion. As the threat increases, organizations will have no choice but to insure against these losses, either through D&O coverage or cyber insurance.
Those who do not carry cyber insurance should review their D&O policies with their agents to determine whether the K&R coverage applies to ransomware losses.
If the coverage is missing, steps should be taken to obtain it, either through K&R coverage or cyber policies.
Cyber criminals are using ever more sophisticated tools. Sound network security practices and employee education are the best way to avoid disaster, but proper insurance coverage is essential if things should go wrong.