Risk Insider: Kevin Kalinich

Ransomware – Is Cyber Insurance Warranted?

By: | March 1, 2016

Kevin Kalinich is the global cyber risk practice leader for Aon Risk Solutions, focusing on identifying exposures and developing insurance solutions. He can be reached at [email protected].

The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom to computer hackers in mid-February.

The hospital said it paid the ransom to gain back access to its computer system of medical records, pursuant to the following scenario:

  • The hospital was offline for more than a week.
  • Systems affected included computers that handle lab test results and pharmaceutical orders, even the ER.
  • Staff wrote all documentation by hand while offline.
  • FBI / LAPD / Forensics team are all involved post-ransom payment.

Insurance Considerations

Ransomware attacks, in which hackers lock the victim’s computer or keyboard until it pays a ransom, are on the rise.  While the health care industry is particularly susceptible to ransomware due to the critical importance of health care records, cyber extortion is not unique to hospitals.

For example, a hacker published the account statements of hundreds of Invest Bank customers in 2015 after his $3 million ransom demand was rebuffed.

A recent study found that cyber security insurance is making companies more likely to pay up when confronted by a ransomware attack.

One element of a comprehensive strategy to address data security is customized cyber risk insurance. Organizations should carefully review their existing liability policies, such as kidnap and ransom policies, and consider stand-alone cyber risk coverage.

These considerations are increasingly important because the policies available in today’s market are not standardized.

Cyber Extortion Insurance

Most cyber insurance policies are modular, which means an organization has a menu of coverages to choose, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.

  • Defense and indemnity costs for cyber extortion can be included in many cyber insurance forms. However, the insured is advised to understand the specific scope of coverage and limitations.
  • Cyber extortion coverage is often sub-limited, such that a $10 MM limit policy may provide $500K for cyber extortion.
  • An additional premium may be charged to include cyber extortion coverage.
  • Insurance deductibles range from $0 to $5 MM-plus. For large organizations, the $17K cyber ransom reportedly paid by the L.A. hospital would have been well below the typical $500K to $5 million deductible.
  • Similar to kidnap and ransom insurance, the insured must cooperate with the insurer, including possibly:

Insured may not disclose that there is cyber extortion coverage or policy can be voided.

Insured must first obtain the consent of the insurer prior to paying the extortion payment.

Some insurers include expert incident response services as part of Cyber Extortion coverage.

Coordination with authorities.

Enterprise Risk Management

Given the potential impact on organizations’ financial statements, management should coordinate legal, IT security, finance, operations and risk management. The risk manager should work with the insurance broker to review all applicable options before determining whether cyber extortion insurance is warranted.

For instance, what guarantees confidential records will not be released after a ransom is paid? Could a ransom payment encourage further ransomware?

Once determined to move forward, the organization should ensure a policy is negotiated and placed with a reputable insurance carrier that will assist the insured and pay the claim if needed.

More from Risk & Insurance