07. September 2021

Insurance in the age of ransomware


Cyber insurance // In the shadow of the global coronavirus pandemic, another threat is spreading. Although it receives less attention, it is similar in nature and can affect anyone: the ransomware
epidemic. The consequences can be devastating, leading the relevant decision-makers in organizations to ask: can we get insurance against ransomware and other cyber risks?

“Data is the new oil”: a well known statement that also cuts to the heart of cyber insurance, which covers damages and costs caused by the unavailability of data (data, like oil, is “fuel”), or the theft or publication of sensitive data (data, like oil, is an important and valuable “raw material”). Cyber insurance is usually pretty broad and covers both first-party and third-party damage, as well as additional services following a cyber incident.

However, first it is important to clarify what a cyber incident is, in the sense of insurance. Unfortunately, there is not (yet) a general standard and every insurance company describes the insured incidents differently. Most of the time, a cyber incident is interpreted quite broadly and includes breaches of information security caused either by an external attack or by employee errors. A malicious external attacker is therefore not the only scenario accepted, and in some cases, even system errors are included.

First-party damage
First-party damage refers to all damage and additional costs to rectify the damage affecting the insured company itself. In the case of cyber damage, this may in particular consist of loss of income due to disruption of business and data restoration costs, as well as general damage repair costs, replacement of hardware and payments of ransom money. In the event of a successful ransomware attack, multiple components of first-party damage can come into play:

  1. production could be stopped for several weeks, deliveries to customers could be delayed and the company could lose sales while continuing to be responsible for a large part of its production costs.

  2. Considerable costs could be incurred by hiring a specialist IT service provider to restore the lost data, and some data may be irretrievably lost, meaning

  3. that, after weighing up all the factors, the company decides to pay the ransom money after all.

These are all examples of damage that is often covered by cyber insurance policies. It is important to note that the payment of ransom money is not legal in all countries, can be subject to strict requirements and should generally only be considered as a last resort. A detailed description of a ransomware attack can be found in the article “From Kitchenware to Ransomware” (see below).

Third-party damage
Third-party damage occurs when the insured company causes damage to a third party. Here too, ransomware can strike when, for example, cyber criminals increase pressure on the company and steal confidential customer data before demanding a ransom. If the threat is acted on, the blackmailed company can get into legal difficulties. In this case, cyber insurance covers the third-party damage claims of customers and will pay the often very high costs for a legal defense. Other types of third-party damage may occur if malware is transferred to third parties via the company network, resulting in damage, or if personal rights are accidentally injured. Even in these cases, cyber insurance will cover the third-party liability payments and legal defense costs, provided that coverage is included in the respective insurance policy.

Additional services
Cyber insurance companies not only cover the costs of any resulting damage; they often work directly with incident response providers too, whose services can be used in the event of a serious incident in the insured company. In a crisis situation, like an ongoing ransomware attack, this can be of immeasurable value. Frequently offered services include forensic IT analyses, legal support by specialized legal firms, or setting up and running a call center to provide information to customers affected by data theft. Even preventative services, such as access to cyber training or assistance with the development of crisis plans, are included in some cyber insurance policies.

Limits of insurance coverage
Several effects of cyber incidents, such as direct damage to reputation or theft of intellectual properties, is rarely or never covered by conventional cyber insurance policies. This is predominantly because these effects are difficult to quantify and therefore not possible to insure. If, therefore, a company suffers damage to its reputation due to a successful ransomware attack, the reputational damage itself is not covered. Nevertheless, major damage to a company’s reputation can be averted by means of specialized crisis managers and PR support. These services are often covered by cyber insurance policies. It is also important to consider any exclusions, such as war exclusions, or specific obligations (of the insured person) that are defined in the insurance policy.

“Marry in haste, repent at leisure,”
s the saying goes. Of course, a cyber insurance policy is not a marriage and is usually limited to a year, after which it can be renewed. Nevertheless, it is worth heeding this advice. Insurance is not a replacement for, but part of risk management: Every company should therefore consider which damage scenarios are a possibility, how the risk management measures will reduce the risk, and how high their risk appetite is (i.e. how much at most they are able to pay out of pocket for the cost of any foreseeable damage). This can then serve as a basis for the level of insurance protection. Once these considerations have been taken into account, it is also much easier to compare different insurance policies.
It is not only the company that is involved in the decision; the insurance company itself decides whether to offer the company coverage. In the underwriting process, both the company's cyber exposure and risk quality are evaluated. This evaluation helps in deciding whether to offer an insurance policy, but is also used to calculate the price. In general, this means: better cyber risk management is usually rewarded with lower premiums. If you are interested, you can read more about this in the article “Underwriting of Cyber Risks: A Recipe” (see below).

Maya Bundt

Maya Bundt heads up Cyber Solutions at Swiss Re, is a member of the WEF’s Global Future Council on Cybersecurity and digitalswitzerland’s Cybersecurity Committee. She is also on the board of directors at Valiant and APG.