The “Ransomware Pandemic” - Is Your Business Insured?

The “Ransomware Pandemic” - Is Your Business Insured?

February 22, 2022, Covington Alert

According to business data platform Statista’s digital and trend reports[1], 304 million ransomware attacks were recorded globally in 2020, up from 188 million the year before. The average ransomware payment by U.S. companies in the first quarter of 2021 was 400 percent higher than the 2019 average. In the first six months of 2021, $590 million suspected ransomware payments were made compared with $416 million reported for all of 2020. “Double extortion” attacks—which combine a traditional ransomware attack encrypting data with a threat to disclose the encrypted data publicly—are now increasingly common.

Insurers in the U.S., UK and EU insurance markets are responding to the unprecedented increase in global ransomware attacks by scaling back coverage. This article describes these market developments and provides guidance to policyholders on managing the ransomware risk.

Insurers are still willing to write cyber-risk insurance, but it has become a lot more expensive and insurers are charging more for less coverage.

At one extreme is AXA, a leading cyber insurer, which recently announced that it will no longer cover ransomware payments in new cyber policies issued to French policyholders. France suffered an estimated $5.5 billion in ransomware losses in 2020, surpassed only by ransomware losses in the United States. AXA said the decision was in response to concerns raised by French justice and cybersecurity officials during a senate roundtable in Paris in April 2021.

The Dutch government is apparently considering legislation to bar insurers from covering ransomware payments by corporate policyholders, according to Business Insurance[2].

Hiscox, a UK insurer, has decided not to cover certain kinds of policyholders. It is not renewing its larger premium cyber business and instead is focusing its cyber underwriting on customers with lower revenues in the retail sector.

Insurance broker Marsh reports[3] that the insurers still writing cyber-risk insurance have increased their premiums by 100 percent in the U.S. and by 73 percent in the UK as a result of the frequency and severity of ransomware attacks.

Insurers have also responded to the dramatic increase in ransomware incidents by reducing the limits and refining the scope of coverage provided by their cyber-risk policies. Chubb, a leading cyber insurer, has introduced several restrictive endorsements. Chubb’s marketing materials[4] explain that Chubb’s Ransomware Encounter endorsement adopts a combination of: (i) sub-limits (which cap the insurer’s liability below the aggregate policy limit), (ii) increased insured retentions, and (iii) co-insurance (a percentage of loss payable by the insured even after it has paid the retention). Chubb’s marketing materials also explain that Chubb’s new Neglected Software Exploit endorsement adopts a sliding scale of risk sharing with the insured when the insured fails to update a known software exploit. That is, the longer an insured has “neglected” (in the insurer’s words) to update the software that was exploited in a cyber incident, the lower the insurer’s limit of liability and the higher the insured’s share of the loss arising out of the cyber incident.

Insurers across the board are also applying stricter underwriting criteria for cyber insurance policies. For example, many are requiring policyholders to have multi-factor authentication in place. In assessing risk, insurers are requiring more detailed submissions from prospective insureds, including “vulnerability scans” of all systems connected to the insured’s network. This means that the underwriting process takes longer and that insureds should be prepared for more scrutiny of their cybersecurity protections. Although this process sounds burdensome, it is possible that it can help insureds improve their cybersecurity.

Ransoms are often demanded by criminal enterprises who may operate in countries that are subject to sanctions. An insured can mitigate risks by taking sanctions laws into consideration before paying a ransomware demand.

U.S. companies are generally prohibited from engaging in any financial transactions with persons identified on the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC)’s Specially Designated Nationals and Blocked Persons (“SDN”) List, and with those located in certain sanctioned countries or territories. As OFAC indicates in its recently published Updated Advisory on sanctions risks for ransomware payments[5], OFAC would consider a ransom paid to a sanctioned person or sanctioned country to violate U.S. law, even if the victim of the ransomware attack was unaware that an SDN or sanctioned country or territory was involved. If the victim reports the payment to law enforcement, however, this would be considered a “significant mitigating factor when evaluating a possible enforcement outcome.” A victim should also look beyond the immediate recipient of the payment. Notably, OFAC recently levied its first sanction on a Russian-operated virtual currency exchange which facilitated ransomware payments. The currency exchange was found to have facilitated financial transactions involving illicit proceeds from at least eight ransomware variants; 40 percent of its transaction history involved illicit actors. OFAC’s actions signal a broader focus on intermediaries that facilitate ransomware attacks.

The UK and EU also maintain sanctions regimes in relation to certain designated persons and entities, which operate in a similar manner as the U.S. SDN List sanctions noted above. In contrast to the U.S. sanctions, a ransomware payment should not as a formal matter trigger a breach of UK or EU sanctions if the UK or EU person involved in making the payment conducted adequate sanctions-related due diligence, but despite that diligence it was subsequently determined that the funds in question ultimately were made available to a sanctioned person or entity. Nevertheless, as a practical matter similar sanctions-related compliance and due diligence measures would typically be valuable from a UK and EU standpoint, as compared to the U.S. sanctions.

The former head of the UK National Cyber and Security Centre has urged UK regulators to consider prohibiting insurance coverage for ransomware payments, on the theory that this will discourage criminals from ransomware attacks. The UK Royal United Services Institute (the UK’s leading defense and security think tank) and the Association of British Insurers have also called for the government to review whether making ransomware payments a criminal offence would help discourage a rise in ransomware attacks. One option under consideration is for insurers to withdraw cover for ransomware payouts while continuing to provide insurance for rebuilding IT infrastructure in the wake of such attacks.

The Ransomware Task Force, a U.S.-led team convened in early 2021 with participants from government agencies, software companies, cybersecurity vendors, financial services companies, non-profit and academic institutions from across the world, also debated a ban on ransomware payments, but did not reach consensus. The Task Force warned that governments planning to ban ransomware payments should not do so immediately. It suggested that governments instead take a phased approach, to allow organizations time to adapt to the new policy. It also recommended that governments provide strong protection and support programs to offset the burden on ransomware victims.

As a result of the changing landscape, policyholders should be aware that some insurers may more readily reserve their rights on ransomware claims and force the insured to act as a “prudent uninsured” until the insurer makes its coverage determination. Where time is of the essence, a policyholder might have to choose (1) to pay the ransom but risk the ransom being uninsured, or (2) not to pay the ransom if the insurer won’t cover it and risk significant business interruption and other losses when the threat actor acts on its threats.

In this environment, policyholders can take certain steps to manage the ransomware/double extortion risk.

1. Primary risk mitigation is the first step. For example, a firm’s CISO or other IT personnel should be routinely engaging in prophylactic IT security measures such as system vulnerability scans or penetration testing—whether or not required by a cyber insurance renewal application. Indeed, in its recent advisory, OFAC explicitly references the U.S. Cybersecurity and Infrastructure Security Agency’s September 2020 Ransomware Guide[6] as containing best practices and recommendations to reduce the risk of extortion by threat actors.
2. Fully engaging in the insurance underwriting process might actually be helpful in improving a firm’s cybersecurity. In any event, taking steps to meet the insurer’s specific IT security standards may be necessary to secure the broadest possible cyber coverage. The prospective insured must be careful, however, to have appropriate confidentiality protections in place when sharing detailed cybersecurity information with an insurer.
3. Policyholders or their coverage counsel should evaluate their current cyber-risk coverage now, to understand the amount and scope of coverage currently available and the notification requirements, including any applicable insurer pre-approval requirements for vendor selection, in the event of a cyber incident. They should discuss any gray areas with their brokers or counsel, in case clarified wording might be prudent at renewal.
4. Policyholders or their coverage counsel should also inventory other current lines of insurance, including Property and Business Interruption, Errors & Omissions, Directors & Officers, Crime, and Kidnap and Ransom policies, to assess potential paths to coverage in the event of a ransomware attack. In the UK particularly, property insurers have taken steps to eliminate what they referred to as “silent cyber,” as we have previously reported in an earlier e-alert[7]; nonetheless, other traditional property/casualty insurance policies, including general liability and property damage/business interruption policies, should still be analysed for any remaining coverage potential.
5. Finally, it will be prudent to start the renewal process earlier than usual to allow sufficient time for any enhanced underwriting requirements and to evaluate any new policy wordings, even if renewal pricing might not be available until closer to the renewal date.

If you have any questions concerning the material discussed in this alert, please contact the following members of our Insurance Recovery practice.