Risk Insider: Kevin Kalinich

Ransomware – Is Cyber Insurance Warranted?

By: | March 1, 2016 • 2 min read
Kevin Kalinich is the global cyber risk practice leader for Aon Risk Solutions, focusing on identifying exposures and developing insurance solutions. He can be reached at [email protected]

The Hollywood Presbyterian Medical Center paid a $17,000 bitcoin ransom to computer hackers in mid-February.

Advertisement




The hospital said it paid the ransom to gain back access to its computer system of medical records, pursuant to the following scenario:

  • The hospital was offline for more than a week.
  • Systems affected included computers that handle lab test results and pharmaceutical orders, even the ER.
  • Staff wrote all documentation by hand while offline.
  • FBI / LAPD / Forensics team are all involved post-ransom payment.

Insurance Considerations

Ransomware attacks, in which hackers lock the victim’s computer or keyboard until it pays a ransom, are on the rise.  While the health care industry is particularly susceptible to ransomware due to the critical importance of health care records, cyber extortion is not unique to hospitals.

For example, a hacker published the account statements of hundreds of Invest Bank customers in 2015 after his $3 million ransom demand was rebuffed.

A recent study found that cyber security insurance is making companies more likely to pay up when confronted by a ransomware attack.

One element of a comprehensive strategy to address data security is customized cyber risk insurance. Organizations should carefully review their existing liability policies, such as kidnap and ransom policies, and consider stand-alone cyber risk coverage.

These considerations are increasingly important because the policies available in today’s market are not standardized.

Cyber Extortion Insurance

Most cyber insurance policies are modular, which means an organization has a menu of coverages to choose, such as business interruption, third party liability for privacy breaches and first party coverage for an organization’s own costs to detect, stop, investigate and remediate a network security incident.

  • Defense and indemnity costs for cyber extortion can be included in many cyber insurance forms. However, the insured is advised to understand the specific scope of coverage and limitations.
  • Cyber extortion coverage is often sub-limited, such that a $10 MM limit policy may provide $500K for cyber extortion.
  • An additional premium may be charged to include cyber extortion coverage.
  • Insurance deductibles range from $0 to $5 MM-plus. For large organizations, the $17K cyber ransom reportedly paid by the L.A. hospital would have been well below the typical $500K to $5 million deductible.
  • Similar to kidnap and ransom insurance, the insured must cooperate with the insurer, including possibly:

Insured may not disclose that there is cyber extortion coverage or policy can be voided.

Insured must first obtain the consent of the insurer prior to paying the extortion payment.

Some insurers include expert incident response services as part of Cyber Extortion coverage.

Coordination with authorities.

Enterprise Risk Management

Advertisement




Given the potential impact on organizations’ financial statements, management should coordinate legal, IT security, finance, operations and risk management. The risk manager should work with the insurance broker to review all applicable options before determining whether cyber extortion insurance is warranted.

For instance, what guarantees confidential records will not be released after a ransom is paid? Could a ransom payment encourage further ransomware?

Once determined to move forward, the organization should ensure a policy is negotiated and placed with a reputable insurance carrier that will assist the insured and pay the claim if needed.

More from Risk & Insurance

More from Risk & Insurance

Risk Management

The Profession

After 20 years in the business, Navy Pier’s Director of Risk Management values her relationships in the industry more than ever.
By: | June 1, 2017 • 4 min read

R&I: What was your first job?

Working at Dominick’s Finer Foods bagging groceries. Shortly after I was hired, I was promoted to [cashier] and then to a management position. It taught me great responsibility and it helped me develop the leadership skills I still carry today.

R&I: How did you come to work in risk management?

While working for Hyatt Regency McCormick Place Hotel, one of my responsibilities was to oversee the administration of claims. This led to a business relationship with the director of risk management of the organization who actually owned the property. Ultimately, a position became available in her department and the rest is history.

R&I: What is the risk management community doing right?

Advertisement




The risk management community is doing a phenomenal job in professional development and creating great opportunities for risk managers to network. The development of relationships in this industry is vitally important and by providing opportunities for risk managers to come together and speak about their experiences and challenges is what enables many of us to be able to do our jobs even more effectively.

R&I: What could the risk management community be doing a better job of?

Attracting, educating and retaining young talent. There is this preconceived notion that the insurance industry and risk management are boring and there could be nothing further from the truth.

R&I: What’s been the biggest change in the risk management and insurance industry since you’ve been in it?

In my 20 years in the industry, the biggest change in risk management and the insurance industry are the various types of risk we look to insure against. Many risks that exist today were not even on our radar 20 years ago.

Gina Kirchner, director of risk management, Navy Pier Inc.

R&I: What insurance carrier do you have the highest opinion of?

FM Global. They have been our property carrier for a great number of years and in my opinion are the best in the business.

R&I: Are you optimistic about the US economy or pessimistic and why?

I am optimistic that policies will be put in place with the new administration that will be good for the economy and business.

R&I: What emerging commercial risk most concerns you?

Advertisement




The commercial risks that are of most concern to me are cyber risks, business interruption, and any form of a health epidemic on a global scale. We are dealing with new exposures and new risks that we are truly not ready for.

R&I: Who is your mentor and why?

My mother has played a significant role in shaping my ideals and values. She truly instilled a very strong work ethic in me. However, there are many men and women in business who have mentored me and have had a significant impact on me and my career as well.

R&I: What have you accomplished that you are proudest of?

I am most proud of making the decision a couple of years ago to return to school and obtain my [MBA]. It took a lot of prayer, dedication and determination to accomplish this while still working a full time job, being involved in my church, studying abroad and maintaining a household.

R&I: What is your favorite book or movie?

“Heaven Is For Real” by Todd Burpo and Lynn Vincent. I loved the book and the movie.

R&I: What’s the best restaurant you’ve ever eaten at?

Advertisement




A French restaurant in Paris, France named Les Noces de Jeannette Restaurant à Paris. It was the most amazing food and brings back such great memories.

R&I: What is the most unusual/interesting place you have ever visited?

Israel. My husband and I just returned a few days ago and spent time in Jerusalem, Nazareth, Jericho and Jordan. It was an absolutely amazing experience. We did everything from riding camels to taking boat rides on the Sea of Galilee to attending concerts sitting on the Temple steps. The trip was absolutely life changing.

R&I: What is the riskiest activity you ever engaged in?

Many, many years ago … I went parasailing in the Caribbean. I had a great experience and didn’t think about the risk at the time because I was young, single and free. Looking back, I don’t know that I would make the same decision today.

R&I: What about this work do you find the most fulfilling or rewarding?

I would have to say the relationships and partnerships I have developed with insurance carriers, brokers and other professionals in the industry. To have wonderful working relationships with such a vast array of talented individuals who are so knowledgeable and to have some of those relationships develop into true friendships is very rewarding.

R&I: What do your friends and family think you do?

My friends and family have a general idea that my position involves claims and insurance. However, I don’t think they fully understand the magnitude of my responsibilities and the direct impact it has on my organization, which experiences more than 9 million visitors a year.




Katie Siegel is a staff writer at Risk & Insurance®. She can be reached at [email protected]