Many businesses that previously resisted the urging of their insurance broker or (ahem) legal counsel to buy cyber-insurance are now re-thinking that strategy in the wake of the “WannaCry” ransom-ware attack that has been in the news. The damage in the U.S. was apparently minimized by quick-thinking security specialists in the UK, but the attack reportedly caused considerable disruption in Europe – although the total amount of the ransom payments has (so far) been small. The publicity, however, has all businesses asking good questions about where they stand. When you talk to your broker to buy cyber coverage, or review your current insurance, keep a few things in mind.
First, although one of the key benefits of cyber-insurance is coverage for the ransom, under the policy’s ransom-ware a/k/a cyber-extortion coverage, the “collateral damage” from a ransom-ware attack is often more consequential. It has been reported that the business interruption damage from WannaCry is in the neighborhood of $1 billion to $4 billion, while the total ransom paid is under $500,000 so far. So when presented with a cyber-coverage program that has sub-limits (as many do) for extortion coverage and for business interruption, focus on the business interruption coverage, including not just limits but any conditions put on the coverage. We’ve written about the importance of other “non-obvious” benefits of cyber-coverage before, here.
Second, be careful about the application process. One of the reasons that WannaCry appears to have been so successful is that it infects Windows computers with obsolete or un-patched operating systems. And apparently there are a lot of such machines out there. Applications for cyber-coverage commonly ask about routine security practices like updates to software and installation of security patches. If you answer “yes” to these questions but in reality suffer a breach or ransom-ware attack because those procedures were not followed, you may have paid a hefty premium for a denial of coverage. We have written about these kinds of “traps” before, here.
Third, take a close look at the exclusions. It is now being reported that WannaCry, although apparently stolen from an archive of cyber-threats maintained by the NSA, may have been set loose by North Korean hackers. And of course it has been alleged that other cyber-attacks have come from nation-state actors, including Russia (the DNC hack), North Korea (the Sony hack) and also terrorist groups. Some cyber-policies contain broad exclusions for losses due to “war” or “terrorism.” As with many things in the cyber-coverage world, the wording is inconsistent. (For example, one policy that I’ve worked with excludes loss “arising out of any: war (declared or undeclared) [or] … acts of terrorism (whether domestic or foreign)…” while another excludes loss “arising from, or in consequence of:… any riot or civil commotion, outside the United States of America or Canada, or any military, naval or usurped power, war or insurrection…”). In light of what we know about both 1) insurance companies’ willingness to take vaguely-worded exclusions and apply them if the loss is high and 2) the frequency with which nation-states are being implicated in hacks, it may be worthwhile searching for a policy that has no such exclusions, or an insurer that is willing to delete the exclusion.
For more information about cyber-coverage generally, I encourage you to use the search bar of this blog and type in “cyber-risk.”