Ransomware, when a computer or network’s systems and data are encrypted until a ‘ransom’ is paid, remains a favored technique of hackers. As with other hacking strategies, ransomware attacks are growing in severity and modern variants are now able to access and exfiltrate data as well as just encrypt.
“That is resulting in the need for more breach notifications (when an organization is mandated to report a breach that could cause significant harm to affected parties and regulators) than before,” explains Kari Stern, senior claims manager at NAS Insurance
Services. “With older variants of ransomware, once a system was unencrypted, everyone would be back up and running. But now we have to determine whether or not information was accessed or exfiltrated and if there is the obligation to notify the consumer.”
Celebrate excellence in insurance. Nominate a worthy colleague for the Insurance Business Awards!
A ransomware virus usually enters a computer or network when the user clicks on an errant link on a website or in an email. Ransomware attacks do not always involve extortionate ransom sums: in the recent Petya event, hackers only demanded $300 for stolen data. Although the amount may appear derisory to huge organisations, the interruption to a business’s operations while the system is incapacitated during the attack can cost millions.
As a result, business interruption coverage has become a common feature of cyber policies. The business interruption payout is usually based on net profit loss suffered during the outage, although most policies have different provisions on how those losses are calculated.
Coverage for notification and breach response costs is another key component of the modern cyber policy. This feature covers the legal fees of an attorney who will be brought in to assess whether the organization is obliged to notify clients of the incident. If so, the attorney will draft a breach notification that it is compliant with the laws and regulations of the state or province where each consumer lives, not where the company is based.
It's likely that a broad cyber policy will provide coverage for a range of costly vendors and services, including credit monitoring, IT forensics and PR services if required. Regulations in certain states stipulate that the targeted organization must also send out a media release if the data breach or hack surpasses a certain threshold.
“Another common type of coverage is related to regulatory defense, which provides coverage in the case of a government investigation into the cause of the breach,” Stern says. “The investigation will determine whether or not an insured was compliant with security protocols, which can also get expensive.”
How cyber insurers are boosting their value proposition
How insurers are helping to combat phishing scams