Calls to Close Cyber Coverage Gaps as Ransomware Payment Penalties Hit
There is no denying the impact COVID-19 has had on the security posture of small and medium businesses since the move to remote working and the use of cloud-based software and technology. Phishing, poor user practices, insecure remote access, and lack of end-user security training are the main causes of recent successful ransomware attacks, and as these attacks become more sophisticated, we see a rise in threat to businesses entire electronic infrastructure. Cybercriminals look to target businesses with suitable cyber insurance resulting in high; sometimes eight-figure, ransom demands. Using ransomware malware and confidential data theft to leverage their victims, firms are forced into paying large ransom payments anonymously in cryptocurrencies such as Monero, in return for promises to provide decryption tools and to prevent the leaking of sensitive information.
In efforts to address the rise in cyber extortion attacks and navigate in this hard market, insurers and broker networks are using more detailed analytics to assess potential cyber exposures, ensuring optimal insurance limits can be set for insureds.
Addressing the increase, insurers re-evaluate large towers
With the average costs of cyber breaches on the rise, brokers are placing these high policy limits by providing cover in towers. Although this provides some sort of solution for clients, the possibility of losses and expenses outweighing their premiums is causing insurers to re-evaluate their positions in these large towers and look more closely at rates in perceived burn layers. According to an article by Willis Towers Watson, strategies around excess layers revolves around obtaining adequate premium for perceived risk. There is less competition to get on excess layers, especially if pricing is considered too thin. However, depending on attachment point and risk, excess markets are looking to increase their rates by 30%.
Insurers are playing more of a role in studying how organisations look after their sensitive data to better evaluate their risk exposure. By offering the insureds opportunities to differentiate themselves and to be transparent in their cyberculture and their approach to cyber risk across people, capital, and technology, they are utilising ever more sophisticated underwriting.
Gaps in coverage lead to Ransomware payment disputes
As we have seen earlier in November, gaps in coverage and silent cyber have become a huge concern to underwriters. With the Indiana-based G&G Oil Co. case, the firm fell victim to a ransomware attack that prevented them from accessing servers and workstations and they sought to sue Continental Western Insurance Co for coverage.
After paying the hacker a total of $34.5 million in cryptocurrency, the company sought coverage under their Multi-Peril Commercial Common Policy, specifically the Commercial Crime Coverage Part which covered computer fraud. However, in this instance, they had not purchased the optional “Computer Virus and Hacking Coverage”. The insurer claimed the losses did not result from the use of a computer to fraudulently cause a transfer of funds. Although arguments were made for the rules of interpretation of insurance policies, the courts dismissed the case, and the ruling was upheld on appeal. Ruling in the insurer’s favour, the appeals court decided that the hacker had not committed any act that could be classified as “fraud”, and did not use a computer to fraudulently cause G&G to purchase Bitcoin to pay as ransom, so concluded the attack was not covered under the policy’s computer fraud provision.
They say all publicity is good publicity - however, we can be sure the likes of Continental Western Insurance Co. would disagree, and cases such as this further illustrate the need for detailed cyber risk assessments and better relationships between insured and insurer.
Payments of Ransomware lead to penalties of millions of pounds
We are seeing a growing number of businesses falling victim to the same trap, quick to pay out ransoms rather than have their operations grind to a halt, their IT systems rendered unusable, and to avoid the dumping of their confidential data on the internet by the cybercriminals. However, it is not always as straight forward (albeit extortionate) as paying the ransom.
On November 21st, 2020, Manchester United were targeted with a ‘sophisticated operation by organised cybercriminals’. According to national press, they appear to have been held to ransom for millions of pounds. With the need to recover critical systems and the threat of highly sensitive information being leaked into the public domain, the club faces two options: Pay the ransom in the hope of obtaining decryptors and avoiding the breach of sensitive data - but possibly incur a £15m fine from The US Office of Foreign Assets Control (OFAC) - or, leave it to the police/FBI to handle and risk the information being leaked together with a potential £18m fine from the UK Information Commissioners Office (ICO).
Because the club are listed on New York Stock Exchange, the US Treasury Department dictates that if they pay the ransom demands of hackers who are listed on their global hit list, they will incur a hefty fine of as much as £15m.
OFAC warned that paying a ransom demand would be viewed as money laundering. It would also encourage them to strike again elsewhere: “Facilitating a ransomware payment that is demanded as a result of malicious cyber activities may enable criminals and adversaries with a sanctions nexus to profit and advance their illicit aims”.
To further rub salt in the wounds, the club could also face an £18m (or 2% of their total annual worldwide turnover) fine from the ICO, should the data protection of their fanbase be breached.
Considering the OFAC stance on ransomware payments, and the fact that OFAC could include insurers and other facilitators of ransomware payments in their regulatory net, insurers are looking closely at their cover for ransom payments and the need to work with law enforcement authorities during any ransom event. Using more detailed analytics assessment services in this process will route out potential cyber exposures and ensure that not only optimal insurance limits are met, but that these policies are inclusive of all risk factors.
STORM|Guidance provides a range of cybersecurity services created for insurers, brokers, and their customers, assisting them in their combat against cybercriminals. CYBER3 rapid, risk review service assesses clients and determines their vulnerabilities, assisting them in prioritising practical improvements in their cyber risk reduction. The assessment delivers clear and understandable results in five key areas: People (staffing, roles, skills), process (governance, policy and procedures), technology (security systems and IT strategy), data asset awareness (categorisation and amounts) and vendor management (oversight, risk and liability). It is the only cyber risk assessment that includes questions commonly asked by leading cyber insurance underwriters.