Insuring Against Ransomware and Other Cyber Extortion
Cyber Extortion Is Covered Under Many Cyber Liability Policies
In recent years, many small businesses have been victims of cyber extortion. Cybercriminals have used ransomware and other tactics to extract money from them. Losses from such events have caused some of these companies to go out of business.
What's Cyber Extortion?
The term extortion means a demand for money or other property through force or the threat of force. In cyber extortion, the perpetrator typically threatens to seize, damage or release electronic data owned by the victim. The thief's goal is to obtain money rather than data or other property. Here are some examples of cyber extortion:
- You operate an online clothing business. Cybercriminals launch a denial-of-service attack against your firm's website, sending it thousands of messages at once. The website is unable to withstand the assault and shuts down. The perpetrators then demand $5,000 to stop the attack.
- You are a divorce attorney at a law firm that caters to celebrities. A cyber thief hacks into your firm's computer system and steals client data. He then threatens to reveal scandalous details about your clients to a tabloid newspaper unless you pay him $10,000.
A relatively new type of cyber extortion is ransomware, malware that blocks access to an electronic device or the data stored on it. To regain control of the device or data, the victim must pay the perpetrator a sum of money (the ransom).
Ransomware can infect virtually any type of computer, including desktops, laptops, tablets, and smartphones. A computer user may unwittingly download malware by clicking on a pop-up ad, opening an infected email attachment, or visiting a compromised website.
One reason cyber extortion has proliferated is the rise of digital currencies like bitcoin. These currencies are easy to use and enable the extortionists to remain anonymous.
Not Covered by Property Insurance
Suppose an employee of yours opens an email attachment infected with malware. The malware spreads throughout your computer system and encrypts your files. An extortionist phones you and demands $2,000 to regain access to your files. Will the $2,000 ransom be covered by your commercial property policy?
The answer is likely no. The standard property policy provides some limited coverage for damage to electronic data caused by computer viruses. However, the coverage does not apply to a ransom paid to an extortionist.
Cyber Extortion Coverage
Cyber extortion is a coverage option under many cyber liability policies. It protects your business against losses caused by ransomware and other types of cyber extortion.
Many cyber liability policies cover three types of costs:
- Ransom Money. This is money you pay to a cybercriminal in response to a threat. Some policies also cover property (other than money) you relinquish to an extortionist.
- Extortion-Related Expenses. These are expenses you incur as a result of the extortion threat. Examples are travel expenses you incur to make a ransom payment and the cost of hiring a security expert to advise you on how to respond to a threat.
- Repair Costs. Payment of a ransom does not guarantee your computers and data will be undamaged after their release, or that they'll be released at all. Most cyber liability forms cover losses you sustain as a result of damage, disruption, theft or misuse of your data. Policies cover the cost to restore, replace or reconstruct programs, software or data.
Most cyber policies require you to secure permission from your insurer before you pay a ransom. If you make a ransom payment and then tell your insurer about it later, the payment may not be covered. The same rule applies to extortion-related expenses. If you want to hire a consultant to help you negotiate with the extortionist, you'll need to notify your insurer in advance. Otherwise, the consultant's fee may not be covered.
Most cyber liability policies provide reimbursement for a ransom payment and related expenses. They don't pay these costs upfront.
Cyber Risk Management
Some cyber liability insurers provide risk management services through a web portal such as eRiskHub. Policyholders can use these websites to learn about cyber exposures and how they can protect themselves from losses.
Cyber extortion insurance covers ransom payments you make and extortion-related expenses you incur in response to a threat. The meaning of this term is important because it determines what types of acts are covered. The definition varies, but often includes threats to do some or all of the following:
- Alter, damage or destroy your software, programs or data
- Infect your computer system with a virus or other malicious code
- Release your data or sell it to someone else
- Make your website or computer system inaccessible by initiating a cyber-attack, such as a denial-of-service attack
- Transfer funds using your computer system
Most policies limit coverage to threats that occur during the policy period. Some policies stipulate that the extortion must take place and be discovered during the policy period.
Some cyber liability policies cover acts of extortion committed by employees. Other policies exclude such acts.
Here are some steps you and your employees can take to avoid becoming a victim of cyber extortion.
- Protect your computer system with a firewall and both antivirus and email scanning software. Keep your software updated.
- Examine emails carefully before opening them. Look for red flags . For instance, the sender's address might be wrong, embedded URLs might look strange, or the email may contain numerous misspellings and grammatical mistakes.
- Don't click on pop-up ads when using the Internet. Cybercriminals use fake ads to lure victims. You can avoid pop-up ads by using a pop-up blocker.
- Back up your data regularly. Keep copies of critical data at an off-site location.
Consider creating a data breach response plan. While a response plan won't prevent breaches from occurring, it will save you time and energy after an incident is discovered.
The Federal Bureau of Investigation (FBI) recommends that victims of ransomware and other cyber crime immediately report the incident to their local FBI office. You can also report the crime to the FBI's Internet Crime Complaint Center. Reports filed by victims help keep authorities informed about the types of crimes that are occurring. The FBI uses the reports to provide information to the public about cyber-crime.
Arntz, P., "Five Easy Ways to Recognize and Dispose Of Malicious Emails", Malwarebytes Labs, accessed Oct., 18, 2019
Federal Bureau of Investigation, "Ransomware Victims Urged to Report Infections to Federal Law Enforcement", accessed Oct. 18, 2019