The increasing prevalence of ransomware attacks is presenting challenges for insurance buyers and providers alike. Historically the word ‘ransom’ has been associated with humans; a threat to people. It has been taken to mean an amount of money, usually large, that is demanded in exchange for the release of someone who has been taken prisoner. But this standard is changing.
Ransoms are increasingly being associated with threats against digital systems rather than people. The WannaCry, Petya and NotPetya ransomware attacks that struck last year caused widespread concern and business interruption, but scale is not the only issue. Smaller, less far-reaching attacks are also impacting all types and size of business and causing big problems. Given the availability of ransomware on the ‘dark web’, and the relative impunity with which cyber criminals can operate, there is little sign of this trend being reversed any time soon.
The key difference between human and digital ransoms, as a general rule, is the amount demanded. With relatively small sums demanded, it is often cheaper and more practical for companies that don’t have particular cyber resilience to pay the ransom than to spend potentially much greater sums restoring their systems. A number of organisations who have paid the ransom have been looking to recoup their losses through their Kidnap and Ransom (K&R) policies. As a result, a number of K&R insurers have been faced with claims which they may never have realistically anticipated.
As a result, the claims forecast in the K&R market is changing and creating tension. The last spike in demand – and claims – followed the rise of modern-day piracy in Africa. The claims are now coming from cyber – a risk that was not priced into most policies. This presents a genuine threat to the sustainability of the sector. Recognising this, a number of the leading providers are clarifying their K&R coverage and promoting buyer understanding and acceptance of terms, conditions and pricing.
In truth this is long overdue. Coverage for cyber breaches in K&R has been a grey area at best, in contrast to purpose built cyber policies which expressly set out to provide a solution. Managing cyber claims can be difficult, there are component parts to any claim and sometimes multiple policy types come into consideration; K&R is not alone in providing aspects of coverage for cyber attacks. This poses the question: Is it right that elements of cyber coverage are included in K&R policies? The answer is a definite yes.
For many years data has been included in K&R policies under the definition of property, and property extortion is covered, so this is not exactly a new area of consideration for K&R underwriters. And, in truth, although there are differences between traditional forms of extortion and those associated with cyber, there is a degree of overlap too. The K&R market has always provided an emergency response to forms of malicious threats, and analysts predict as cyber-crime evolves it will pose a threat not simply to data but more broadly to property and people too.
Indeed, we are already seeing changes in the nature of ransomware attacks. Ransoms are increasing and, while criminals are raising their demands, they are also reportedly showing a greater willingness to enter into negotiations. Now that there is an opportunity to be able to negotiate demands down – albeit from a higher initial starting point – K&R crisis consultants with a specific skill set, experience of dealing with extortion and the ability to see alternative ways to settle have a greater role to play. These specialists work alongside experienced legal and IT services providers as part of an effective crisis management team.
Many K&R markets are still defining their positions. For example, AIG is offering a rounded solution that offers access to a carefully selected panel of experts to help a customer through one of these attacks.
Typically, this will cover two elements:
Clients are also offered the option to avoid purchasing cyber coverage under their K&R policy if they wish but should also be prepared to see some premium increases for this coverage in return for greater certainty.
So far, so good, but shouldn’t buyers that are concerned about the threat of ransomware simply buy a stand-alone cyber insurance policy? Ideally yes, stand-alone cyber insurance is the best solution, offers coverage for multiple types of data breach or data threat and is not confined to extortion incidents. Ransomware though is undoubtedly at present one of the most prevalent forms of cyber threat, accounting for a significant percentage of attacks. So, many organisations may prefer the extortion-only type of protection offered under a K&R policy. But there are limitations to the coverage. The challenge for underwriters and brokers is to help buyers select the right solution depending on a variety of factors including their risk profile and budget.
This is an issue that is not going to go away. The arrival of the General Data Protection Regulations this year in Europe could be good news for extortionists given the size of fines and penalties for those failing to adequately protect client data. We all need to work together to ensure appropriate risk management measures are in place to combat the changing face of ransom.
This article first appeared in Insurance Day on 4 February 2018. [Paywall]