Cyber-ransom is the talk of the town when it comes to insurance these days, second only to social engineering fraud. A cyber-ransom event typically involves malicious code (malware) being installed on an individual computer or a system, typically through a “phishing” e-mail that contains an innocent-looking link (often to a legitimate site, such as Dropbox) that actually leads to an executable file, downloading malware. Once inside, the malware encrypts the system, shutting it down or hobbling it significantly. The malware then sends a ransom demand, offering to restore access to the system in exchange for payment ranging from a few hundred dollars to thousands. Payment is usually demanded in bitcoins, the “currency” of choice for those who operate in the dark web.
Most cyber-insurance policies offer coverage for cyber-ransom events (also referred to as “cyber extortion”) but a recent ruling may give insurers an opening to deny coverage. In a criminal money-laundering case in Florida state court, a trial judge recently held that bitcoins are not “currency” or “money” but is instead a currency-substitute more akin to a commodity. This blog post from the Wall Street Journal describes the decision.
Why would that matter for coverage? According to Rick Zelinski, a broker at PayneWest Insurance in Spokane, the definitions in some cyber policies “define ‘cyber-extortion costs’ as ‘… payment of money.'” The implication is that if the insured pays the ransom in bitcoins, but bitcoins are not “money,” the insurer may refuse to pay benefits under the policy. The solution, according to Rick, is to demand that underwriters tailor the definitions language “something along the lines of ‘…policy will pay loss from payment made in money, or other means such as but not limited to bitcoins, to the extent of the monetary equivalent, or value exchanged to secure such other means.” It is far easier to ask insurers to tailor definition language for cyber policies, because those policies are not written on industry-standard forms: each insurer writes their own, making it both more difficult to do an “apples to apples” comparison and easier (somewhat) to negotiate amendments to definitions and other terms.
Is it worth it to put this kind of effort into getting really solid cyber-ransom coverage? Yes, it is. According to this report, healthcare businesses are being bombarded by thousands of phishing emails per day and paying out substantial sums to extortionists so that they can stay in operation, and the problem is so severe that Congress is considering scaling back requirements to have medical files digitized. One hospital in Los Angeles received a ransom demand for millions, but managed to work-around most of the disruption (after a lengthy period of having to use paper and pen to operate) and ended up paying out only $17,000 in bitcoins. Dell researchers found that one ransom-payment Bitcoin site collected $1.1 million in a six-month period in 2014 from many separate cyber-ransom events. And according to this report in the New York Times in February, hackers are increasingly going after larger businesses and government entities.
The new decision from Florida is an example of why it is important for those of us counseling clients on coverage issues to stay on top of new developments. Hopefully insurers will be open to modifying problematic language in their policies to eliminate any question about coverage for the serious threats posed by cyber-criminals, including cyber-ransom.