Risk Insider: Kevin Kalinich

Ransomware – Is Cyber Insurance Warranted?

By: | March 1, 2016 • 2 min read
Kevin Kalinich is the global cyber risk practice leader for Aon Risk Solutions, focusing on identifying exposures and developing insurance solutions. He can be reached at [email protected]

The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom to computer hackers in mid-February.


The hospital said it paid the ransom to gain back access to its computer system of medical records, pursuant to the following scenario:

  • The hospital was offline for more than a week.
  • Systems affected included computers that handle lab test results and pharmaceutical orders, even the ER.
  • Staff wrote all documentation by hand while offline.
  • FBI / LAPD / Forensics team are all involved post-ransom payment.

Insurance Considerations

Ransomware attacks, in which hackers lock the victim’s computer or keyboard until it pays a ransom, are on the rise.  While the health care industry is particularly susceptible to ransomware due to the critical importance of health care records, cyber extortion is not unique to hospitals.

For example, a hacker published the account statements of hundreds of Invest Bank customers in 2015 after his $3 million ransom demand was rebuffed.

A recent study found that cyber security insurance is making companies more likely to pay up when confronted by a ransomware attack.

One element of a comprehensive strategy to address data security is customized cyber risk insurance. Organizations should carefully review their existing liability policies, such as kidnap and ransom policies, and consider stand-alone cyber risk coverage.

These considerations are increasingly important because the policies available in today’s market are not standardized.

Cyber Extortion Insurance

Most cyber insurance policies are modular, which means an organization has a menu of coverages to choose, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.

  • Defense and indemnity costs for cyber extortion can be included in many cyber insurance forms. However, the insured is advised to understand the specific scope of coverage and limitations.
  • Cyber extortion coverage is often sub-limited, such that a $10 MM limit policy may provide $500K for cyber extortion.
  • An additional premium may be charged to include cyber extortion coverage.
  • Insurance deductibles range from $0 to $5 MM-plus. For large organizations, the $17K cyber ransom reportedly paid by the L.A. hospital would have been well below the typical $500K to $5 million deductible.
  • Similar to kidnap and ransom insurance, the insured must cooperate with the insurer, including possibly:

Insured may not disclose that there is cyber extortion coverage or policy can be voided.

Insured must first obtain the consent of the insurer prior to paying the extortion payment.

Some insurers include expert incident response services as part of Cyber Extortion coverage.

Coordination with authorities.

Enterprise Risk Management


Given the potential impact on organizations’ financial statements, management should coordinate legal, IT security, finance, operations and risk management. The risk manager should work with the insurance broker to review all applicable options before determining whether cyber extortion insurance is warranted.

For instance, what guarantees confidential records will not be released after a ransom is paid? Could a ransom payment encourage further ransomware?

Once determined to move forward, the organization should ensure a policy is negotiated and placed with a reputable insurance carrier that will assist the insured and pay the claim if needed.

More from Risk & Insurance

More from Risk & Insurance

2018 Most Dangerous Emerging Risks

Emerging Multipliers

It’s not that these risks are new; it’s that they’re coming at you at a volume and rate you never imagined before.
By: | April 9, 2018 • 3 min read

Underwriters have plenty to worry about, but there is one word that perhaps rattles them more than any other word. That word is aggregation.


Aggregation, in the transferred or covered risk usage, represents the multiplying potential of a risk. For examples, we can look back to the asbestos claims that did so much damage to Lloyds’ of London names and syndicates in the mid-1990s.

More recently, underwriters expressed fears about the aggregation of risk from lawsuits by football players at various levels of the sport. Players, from Pee Wee on up to the NFL, claim to have suffered irreversible brain damage from hits to the head.

That risk scenario has yet to fully play out — it will be decades in doing so — but it is already producing claims in the billions.

This year’s edition of our national-award winning coverage of the Most Dangerous Emerging Risks focuses on risks that have always existed. The emergent — and more dangerous — piece to the puzzle is that these risks are now super-charged with risk multipliers.

Take reputational risk, for example. Businesses and individuals that were sharply managed have always protected their reputations fiercely. In days past, a lapse in ethics or morals could be extremely damaging to one’s reputation, but it might take days, weeks, even years of work by newspaper reporters, idle gossips or political enemies to dig it out and make it public.

Brand new technologies, brand new commercial covers. It all works well; until it doesn’t.

These days, the speed at which Internet connectedness and social media can spread information makes reputational risk an existential threat. Information that can stop a glittering career dead in its tracks can be shared by millions with a casual, thoughtless tap or swipe on their smartphones.

Aggregation of uninsured risk is another area of focus of our Most Dangerous Emerging Risks (MDER) coverage.

The beauty of the insurance model is that the business expands to cover personal and commercial risks as the world expands. The more cars on the planet, the more car insurance to sell.

The more people, the more life insurance. Brand new technologies, brand new commercial covers. It all works well; until it doesn’t.

As Risk & Insurance® associate editor Michelle Kerr and her sources point out, growing populations and rising property values, combined with an increase in high-severity catastrophes, threaten to push the insurance coverage gap to critical levels.

This aggregation of uninsured value got a recent proof in CAT-filled 2017. The global tally for natural disaster losses in 2017 was $330 billion; 60 percent of it was uninsured.


This uninsured gap threatens to place unsustainable pressure on public resources and hamstring society’s ability to respond to natural disasters, which show no sign of slowing down or tempering.

A related threat, the combination of a failing infrastructure and increasing storm severity, marks our third MDER. This MDER looks at the largely uninsurable risk of business interruption that results not from damage to your property or your suppliers’ property, but to publicly maintained infrastructure that provides ingress and egress to your property. It’s a danger coming into shape more and more frequently.

As always, our goal in writing about these threats is not to engage in fear mongering. It’s to initiate and expand a dialogue that can hopefully result in better planning and mitigation, saving the lives and limbs of businesses here and around the world.

2018 Most Dangerous Emerging Risks

Critical Coverage Gap

Growing populations and rising property values, combined with an increase in high-severity catastrophes, are pushing the insurance protection gap to a critical level.

Climate Change as a Business Interruption Multiplier

Crumbling roads and bridges isolate companies and trigger business interruption losses.


Reputation’s Existential Threat

Social media — the very tool used to connect people in an instant — can threaten a business’s reputation just as quickly.


AI as a Risk Multiplier

AI has potential, but it comes with risks. Mitigating these risks helps insurers and insureds alike, enabling advances in almost every field.


Dan Reynolds is editor-in-chief of Risk & Insurance. He can be reached at [email protected]