Tag Archives: cyberinsurance

Cyber: The Spectre of Uninsurable Risk?

It’s been an awfully eventful start to the New Year. In case you’ve missed the news, two major security flaws have been discovered in the processors that power nearly all of the world’s computers. The two techniques discovered to exploit these flaws, nicknamed Meltdown and Spectre, could allow hackers to steal data and secrets from any vulnerable computer, including mobile devices. Because the flaws are with the computer processor itself, any software platform running on top of an affected processor is potentially vulnerable.

If by this point you’ve tired of hearing about technology vulnerabilities, this one is different (but also mostly the same, as I’ll get to a bit later). For one, this isn’t a software bug like you might find in your operating system or browser. Nor is it a physical defect in the processor itself. Meltdown and Spectre aren’t really “bugs” at all. Instead, they represent methods to take advantage of the normal ways that many processors work for the purpose of extracting secrets and data. More important, though, is the magnitude of the impact. By comparison, the WannaCry and NoPetya ransomware attacks wreaked global havoc exploiting vulnerabilities that are believed to have affected ~400,000 computers versus the estimated 2 billion computers susceptible to Meltdown and Spectre.

See also: New Approach to Cyber Insurance  

The timing of these events could hardly come at a more interesting time for the cyber insurance industry. Only a few days prior, in an interview with the Financial Times, Christian Mumenthaler, CEO of Swiss Re, one of the world’s largest reinsurers, wisely questioned the very insurability of cyber risk due to the possibility for accumulation risk—the possibility that a cyber event could hit many insurance policyholders at the same time, by the same attack, resulting in huge potential claims payouts.

Sound familiar?

Cut the FUD

As we’ve discussed before, we now live at a time where a cyber attack, technology failure or human error can cause everything from data theft to supply chain disruptions, hospital shutdowns, hotel room lockouts, blackouts and even nuclear centrifuge explosions—literally the entire spectrum of known risk. That these events could even theoretically occur on a massive scale, and all at once, is certainly cause for alarm—it would indeed pose a serious accumulation risk and eliminate one of the core pillars of insurability.

However, it would be mistaken to assume that such a scenario, as in the case of Meltdown and Spectre, is anything more than FUD (fear, uncertainty and doubt). This is hardly to say that the discovery of these security flaws is much ado about nothing. On the contrary, they pose a very real threat and may well open the door to serious cyber attacks. However, as with the headline-grabbing ransomware attacks of 2017, there are many reasons to believe that subsequent losses will be relatively contained.

Hierarchy of Cyber Security

To understand why, it’s helpful to understand the hierarchy of cyber security. At the base are vulnerabilities in all their forms (software, humans, even processor architectures). That the base is bounded is misleading because, in reality, there are an infinite number of vulnerabilities that can and will exist. However, vulnerabilities only matter if they pose a threat to an organization. This combination of threat and vulnerability is generally the risk an organization faces. Even then, threats don’t matter unless someone proceeds to attack you. And that someone at the top of the pyramid is, 10 out of 10 times, a human actor. Why does this matter?

It matters because cyber attacks are really just forms of cybercrime, which itself is merely a form of crime—it is the people, not the form, that matter. There are costs for criminals to launch attacks, and not just the risk of being caught (which for the moment is abysmally low). Criminals require time, infrastructure and money to fund their enterprises, enumerate targets and move through the kill chain toward the realization of their desired outcomes. All the while they must also factor in the uncertainty of achieving the outcome.

Exploits for security flaws can accomplish many things, but few produce cash.

Every step in this chain takes effort. Although cyber criminals are becoming more numerous and sophisticated, they are still limited in how much damage they can cause and profit they can reap. As a result, even though an entire population may be vulnerable, the economically optimal strategy for an attacker is nonetheless to focus on a relatively small set of victims.

Cyber insurance is dead. Long live cyber insurance!

Although there is little doubt that certain accumulation scenarios exist, limiting the insurability of certain cyber risk exposures, this is not one of them. Absent an expertise in hacking and cybercrime—and the economics thereof—it is no surprise that many insurers offering cyber insurance struggle to understand, much less manage, accumulation risk. It’s high time they woke up.

See also: Cyber Insurance Needs Automated Security  

Insurers must come to realize the role that insurance plays in protecting companies from all forms of risk that accompany the digitization of everything. It also means thinking about cyber insurance as more than just coverage for data breach and response. The most recent devastating attacks have resulted in business and supply chain interruption, and even physical property damage. It is hardly a stretch to imagine exposure to nearly every other form of known risk, including bodily injury or even pollution. Of course, with new exposures come new challenges in underwriting and management of accumulation.

Overcoming these challenges won’t be easy. It will mean using data in an entirely novel way to not only assess the risk of an individual policyholder, but an entire population of policyholders, and doing so on a continuous basis. It will also mean measuring diversity, and particularly technological diversity, to manage accumulation in novel ways. How many insurers today know which cloud service provider their clients use, much less which versions of software they are running? Or whether their clients’ passwords have been compromised in a third-party data breach? If you don’t know these answers, you’re in trouble. Gone are the days when accumulation will be managed by geography, industry and revenue size. Are we up to the challenge?

Long live cyber insurance.

5 Ransomware Ideas, or You’ll WannaCry

A massive cyberattack involving a ransomware software program called Wanna Decryptor, also known as “WannaCry,” recently swept the globe, freezing computer systems and causing major disruptions. The attack — which is the largest ransomware infestation ever — affected tens of thousands of organizations across the globe and a wide range of industry sectors, including the U.K.’s National Health Service (NHS), Spanish telecom giant Telefonica, French car maker Renault, Portugal’s Telecom and U.S. delivery company FedEx, among many others. The attack reportedly affected nearly 150 countries.

Ransomware (a combination of the terms “malware” and “ransom”) has become an increasingly common form of cyber extortion. It often involves extortionists taking control of a computer system and locking files and data on the system by encryption, thereby rendering them inaccessible and useless, until a demand for payment, typically in Bitcoin, is satisfied. A typical form of ransomware, WannaCry does the following: 1) locks all data on the victims’ computer systems; 2) informs victims that their files have been encrypted; 3) warns that those files will be deleted unless payment in Bitcoin is received; and 4) provides instructions for executing and sending the payment.

Ransomware has become frighteningly pervasive and increasingly serious and expensive. Ransomware attacks quadrupled from 2015 through 2016, to an estimated 4,000 per day according to the U.S. Department of Justice and, as punctuated by WannaCry, are projected to double yet again in 2017. These types of cyberattacks can, and do, cause significant operational disruption, often halting a business in its tracks, damage reputations and create other types of losses and exposures. Every industry sector is seeing an increasing threat, with the healthcare and education sectors particularly targeted. Other forms of cyberextortion — including threats to obtain or release protected information, such as personally identifiable customer data, protected health information and confidential corporate information, or to discharge denial-of-service attacks that disrupt an organization’s networks, causing business interruption — also entail significant potential exposure to organizations.

See also: The Growing Problem of Ransomware

Here we offer five insurance and other considerations for organizations to consider in the face of an enormous uptick in increasingly severe ransomware attacks and other forms of cyberextortion:

1. Consider purchasing “cyberextortion” insurance. No firewall is unbreachable, and no security system impenetrable. In the context of this reality, insurance can play a vital role in a company’s overall strategy to address, mitigate and maximize protection against the legal and other exposures flowing from serious cybersecurity, privacy and data protection-related incidents. Importantly, almost all stand-alone so-called “cyber” insurance policies offer coverage for ransomware and other forms of cyberextortion. This type of coverage is specifically designed to cover losses and expenses that an organization incurs in the wake of a cyberextortion incident like the WannaCry software virus, together with myriad other forms of first and third-party cybersecurity and data privacy-related exposures, including coverage for crisis management (such as notification to potentially affected individuals, credit monitoring and call center services), data breach and network security-related claims and liability, including regulatory liability, business income loss, and digital asset loss. Cyberextortion coverage can be extremely valuable as a way for organizations to address and mitigate losses arising from mounting extortion threats, and many organizations now purchase this coverage as part of their cyberinsurance programs.

2. Closely review cyberextortion insurance terms and conditions. It is clear that cyberinsurance can be extremely valuable, but obtaining the right insurance product presents significant challenges. There is a diverse and growing array of cyberinsurance products in the marketplace, each with its own insurer-drafted terms and conditions that vary dramatically from insurer to insurer — and even between cyberinsurance policies underwritten by the same insurer. In addition, the specific needs of different industry sectors, and different organizations within those sectors, are far-reaching and diverse. For these reasons, organizations purchasing cyberinsurance, and the cyberextortion components of that insurance, are well advised to closely review the terms and conditions of the coverage to ensure that the organization’s cyber extortion risk will be covered, without a protracted battle with the insurer, in the wake of an attack. Among other things, organizations are advised to consider the following:

  • Scope of coverage. Cyberextortion coverage should be written to cover as broad a range of potential attacks, and potential exposure outcomes, as possible. The coverage should include any threat to harm, impair access to or engage in unauthorized access to, relevant computer systems and the applications, files and data residing on those systems, together with any threat to access or divulge any sensitive information in the organization’s possession or control.
  • Key definitions. Key definitions must be sufficiently broad to match the reality of risk faced by the insured organization. By way of example, in addition to definitions that define the scope of coverage, definitions governing the types of losses and expenses that are covered should be carefully reviewed. The policy should cover reasonable and necessary expenses incurred by the insured organization resulting from a covered threat, including the costs of investigating and assessing a threat (even if no ransom is paid), should expressly cover payment of cryptocurrencies (including Bitcoin), as well as, preferably, any other consideration or action that may be demanded by the extortionists, and should cover reasonable and necessary expenses incurred to mitigate or reduce other covered expenses.
  • Conditions. Organizations are advised to pay close attention to policy conditions, including notice and consent provisions, proof of loss provisions, allocation provisions, alternative dispute resolution provisions and any requirements that the organization notify law enforcement of the incident at issue. The importance of notice provisions is addressed in further detail below. Consent provisions may be favorably amended to state that an insurer’s consent to satisfying the extortion demand “shall not be unreasonably withheld.” Other provisions, such as the requirement of involving authorities, may be deleted. As discussed more below, cyberinsurance policies are highly negotiable, and very favorable amendments can often be made for no additional premium charge.
  • Exclusions. It also is critical that organizations be aware of any insurance policy exclusions that may vitiate the coverage that the policy was intended to cover. By way of example, cyberinsurance policies typically contain a “bodily injury” exclusion. Such an exclusion may pose a particular problem for hospitals and other healthcare providers, which rely on access to patients’ medical records to provide appropriate care and treatment. As with other exclusions, it may be possible to significantly curtail or delete bodily injury exclusions. Many other types of exclusions can be curtailed or deleted — often for no additional policy premium.
  • Sublimits and retentions. It is clearly important that a cyberinsurance sublimit of liability (a ceiling on the amount of coverage available to cover a specific type of loss at issue) be sufficient to cover the organization’s potential exposure. Like other facets of cyberinsurance coverage, including coverage for losses associated with regulatory action and PCI DSS-related liabilities, cyberextortion coverage may be written subject to a relatively low sublimit, such that, for example, a $10 million limit primary policy may provide only $250,000 or $500,000 for cyberextortion losses. In addition to policy limits, organizations are advised to pay attention to self-insurance features, such as policy retentions or deductibles, which typically range from $0 to in excess of $5 million. As with the case of other cyberinsurance terms and conditions, sublimits and retentions usually are negotiable. On a related point, as discussed further below, what starts with an extortion threat can end up triggering many different modular aspects of cyberinsurance coverage. It, therefore, is important that the policy contain a provision stating that an extortion threat, together with any other first- or third-party covered events that trigger different coverage sections of a policy, are subject only to a single retention, and that any lower retention amount applicable to a particular coverage section, such as a cyber extortion section, is met when that lower retention amount is satisfied by payment of loss under that coverage section.

Although placing coverage in this dynamic space presents a challenge, it also presents substantial opportunity. The cyberinsurance market is competitive, and cyberinsurance policies are highly negotiable. This means that the terms of the insurers’ off-the-shelf policy forms often can be significantly enhanced and customized to respond to the insured’s particular circumstances. Frequently, very significant enhancements can be achieved for no increase in premium. Before an attack occurs, organizations are encouraged to negotiate and place the best possible coverage to decrease the likelihood of a coverage denial and litigation. A well-drafted policy will reduce the likelihood that an insurer will be able to successfully avoid or limit insurance coverage in the event of a claim.

3. Provide notice and comply with other policy conditions. Insurance policies typically contain notification provisions stating that the insured organization must provide notice within a certain time frame, often “as soon as practicable,” even “immediately,” after the organization becomes aware of an incident. Although providing notice to an insurer may not be top of mind in a cyberattack, particularly where the demand is far below the policy retention or deductible, it is important for an organization to reasonably comply with notice provisions (and other policy conditions, including consent provisions) to not jeopardize, or delay, coverage. In the context of providing notice, moreover, it is important for organizations to recognize that what begins as a relatively low cyberextortion demand may quickly evolve into an incident or series of related events that triggers other first-party coverage sections of the insurance policy, such as the business income loss coverage (an extortion event may result in a significant loss of business income), extra expense coverage, digital asset loss recover/restoration coverage and crisis management coverage and, to the extent personally identifiable information or protected health information may have been compromised, for example, the third-party claim coverage sections of the policy, including coverage for data breach-related lawsuits and regulatory liability. Indeed, a ransom demand may be deployed as a purposeful diversion from a different, principal goal, such as stealing sensitive records. Recognizing this reality, it is important that the organization be aware of, and reasonably comply with, notice provisions to avoid a coverage defense based on purported late notice. In addition, providing notification can provide the insured organization with valuable coverage for costs related to the extortion threat, such as a forensics investigation, which may reveal other malware on the computer system, stop the intrusion and block future extortion attempts, a consultant to utilize decryption keys or to recreate the files and data at issue, and, where appropriate, legal counsel. The bottom line: In the event of a cyberextortion demand, organizations are advised to provide notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

4. Maximize coverage across the entire insurance program. Although cyberextortion coverage is an obvious place to look for coverage in the wake of a ransomware attack or other cyberextortion incident, organizations are advised to consider all potentially applicable insurance policies and coverages. As noted above, a cyberextortion incident may trigger various other coverages under the organization’s cyberinsurance program, and also may trigger other insurance policies and programs, such as computer crime policies and kidnap and ransom policies. The various types of insurance policies that may be triggered by a cyberattack likely carry different insurance limits, deductibles, retentions and other self- insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursuing coverage in a manner that will most effectively and efficiently maximize the potentially available coverage across the insured’s entire insurance portfolio. Absent a compelling reason, notice should be provided under all policies that potentially provide coverage.

5. Exercise business continuity and improve computer security. Insurance aside, the best protection against a ransomware attack is to have all files and data securely backed up, in a separate physical location, or at least on a separate system, so that no business-critical information that is not recoverable may be permanently deleted by extortionists. It also is important to reflect on how these types of attacks occur. Cyberextortionists must download malicious software onto a system, or a connected device, and this often is achieved through tricking employees to click on attachments or links in phishing emails, which increasingly look convincing. Therefore, improving computer security, including through antivirus programs, spam filters, firewalls, installation of software updates and security patches (early reports indicate that WannaCry appears to exploit a vulnerability in Windows that Microsoft patched on March 14, which would have automatically protected those computers with Windows Update enabled), disabling of macro scripts and using application whitelists, which only allow approved files to execute, is essential. Likewise, training employees about how to recognize and avoid social engineering exploits such as phishing emails, is key in negating or minimizing ransomware threats. Organizations also are advised to consider incorporating ransomware attack scenarios into their incident response planning.

See also: Ransomware: Your Money or Your Data!

A well-negotiated insurance program, together with solid business continuity planning and comprehensive, active cybersecurity policies and procedures, will position an organization to be resilient in the face of the serious and escalating threat posed by cyberextortion.

This article originally appeared on Law 360.

What to Consider When Buying Cyber

No industry or organization, wherever situated and whatever the size, is immune to the threat of cyberattack, and the impact can be catastrophic, both financially and in terms of reputation. For example, eBay recently announced a massive cyberattack that may have exposed the personal data of 128 million customers globally.

The management of cyberrisk clearly needs to be high on the boardroom agenda. Network security alone cannot fully address the issue: Experience has shown that even top-notch, state-of-the-art cybersecurity is vulnerable.

Boards need to ensure that they identify key risks and prioritize the protection of critical information. Internal policies and procedures should be put in place to ensure that staff are aware of risky behaviors, such as disclosing passwords and opening suspicious documents in unsolicited emails. Companies need to see that network security systems and controls are regularly tested and monitored, and that response procedures are in place in case of a cyberattack or data breach.

Insurance can also play a vital role in managing cyberrisks. As part of the board’s risk assessment, it needs to understand the types of cyberrisk, and the potential losses and liabilities that follow. This is the first step in understanding the organization’s insurance requirements and the extent of coverage required for cyberrisks.

Consider the Company’s Risk Profile
An initial assessment of the company’s risk profile and areas particularly vulnerable to cyberattack is crucial.  External advice may be needed. The risk assessment should extend across the organization. The assessment needs to consider the amount and type of personally identifiable information, customer data and confidential corporate data the organization maintains and how such data is used, transmitted and stored. The company’s technology infrastructure should be evaluated, as well as potential threats to network security and the likely consequences of significant interruptions to online working or customer transactions. Also consider the risk of third-party claims arising from the company’s media content and the services provided to support e-commerce.

The company needs a complete understanding of any potential impact of a cyberattack or data breach, including the wider impact on business strategy. Performing a thorough risk assessment not only helps the organization identify and address risks and potential gaps in security but can facilitate underwriting of cyberrisks and may even result in premium reductions. Once the organization has a grasp of its risk profile and potential exposures, it can consider its insurance needs.

Examine Existing Insurance Policies
Some coverage for these potential losses and liabilities may be available under existing insurance policies already held by the business. These include general liability, directors and officers liability, professional indemnity, crime and property and business interruption policies. Careful assessment of the coverage provided by these policies is essential, however, as there are likely gaps in coverage because such policies have not historically been designed to cover non-tangible assets and network-related risks. The company will need to consider whether to fill those gaps with enhancements to existing policies or through new cyberrisk products now being offered by insurers.

Consider the Need for Cyberinsurance
There are now a number of cyberinsurance products available, and the scope of coverage varies from insurer to insurer. These policies typically cover losses and liabilities such as:

  • Data liability. This covers damages and defense costs resulting from any claim against the insured from a data breach that compromises personal information. It should also cover claims alleging that information has been lost or compromised as a result of unauthorized access to, or use of, the insured’s computer systems. It is important that the policy covers not only an individual’s personal information but also employee data and confidential corporate information. Many organizations possess third-party trade secrets, customer lists, marketing plans and other information that could be beneficial to competitors and may result in liability if compromised.
  • Media liability. This insures damages and defense costs resulting from any claim against the insured for infringement of copyright and other intellectual property rights, as well as misappropriation or theft of ideas or media content. While coverage may not extend to content published in a personal capacity, this should ideally be included, as organizations may face significant liabilities as a result of employees using Twitter, Facebook and other social media.
  • Regulatory coverage. This covers the costs of response to any administrative, government or regulatory investigation following a data breach or cyberattack, as well as any fines or penalties imposed.  However, this coverage is typically limited to civil fines and penalties, as criminal fines and penalties are not insurable in many jurisdictions. Some regulators, including the Financial Conduct Authority (FCA) and the Securities Exchange Commission (SEC), prohibit regulated firms from recovering from insurers any fines or penalties the regulators impose.
  • Remediation coverage. Most policies provide coverage for additional costs associated with a data breach, including the costs incurred to notify those affected and relevant authorities, provide credit monitoring for those affected and set up call centers to field inquiries from concerned clients. Coverage may also extend to the costs of forensic services to determine the cause and scope of a breach, as well as public relations expenses and other crisis management costs.
  • Information assets coverage. The policy may include coverage for costs of recreating, restoring or repairing the company’s own data and computer systems. This may also extend to third-party data that has not been captured by back-up systems or that has been corrupted or lost because of negligence or technical failure.
  • Network interruption coverage. The policy may cover lost revenue from network interruptions or disruptions because of a denial of service attack, malicious code or other security threats.
  • Extortion coverage. Many policies insure the costs of responding to ransom or extortion demands to prevent a threatened cyberattack.

Cyberinsurance policies vary significantly, so the specific policy terms and conditions should be analyzed carefully to ensure that the coverage meets the company’s likely loss scenarios and potential exposures. It is particularly important to consider whether the coverage extends to information in the hands of third parties where data handling, processing and storage has been outsourced to third parties, including cloud service providers. If the organization has outsourced data handling, then it should secure coverage for any loss or business interruption arising from data that is managed by third-party service providers.

Consider the “retroactive date,” as policies often limit coverage to cyberattacks or data breaches occurring after a specified date, such as policy inception. It is important to request retroactive coverage for network security breaches that may have occurred before the inception date, as it is not uncommon for cyberattacks to remain undetected for a considerable period.

Review Defense and Settlement Provisions
Cyberinsurance policies include defense provisions that typically limit coverage for defense costs to those that are reasonable and incurred with the insurer’s prior written consent. While many insurers include these types of provisions to insist on the appointment of their own choice of defense counsel, selection of defense lawyers is an important issue. Some companies prefer to appoint lawyers whom they know well and who are familiar with their business. Moreover, certain claims arising from the use of technology, such as claims for breach of confidence, breach of copyright and defamation, require specialist counsel with particular experience. The company should therefore consider requesting a specific provision reserving the right to choose its defense lawyer, although the decision will usually be subject to the insurer’s prior approval.

Check the Fine Print
The “devil is in the details,” especially with cyberinsurance. While the market has developed rapidly in recent years, there are inconsistencies in the cover provided, and minor variations can have significant impact on the availability of coverage.

There will likely be efforts by the insurer to exclude risks that should be covered under other types of policy, and this is not unreasonable. It is important, however, to avoid broadly worded exclusions that could extend beyond that concern, or attempt to undermine the initial purpose of the insurance. For example, insurers might seek to impose exclusions based on possible shortcomings in the company’s network security. These types of exclusions should be resisted.

Insurance can play a vital role as part of an overall strategy to mitigate cyberrisk, but it is necessary to look beyond the policy limits to ensure that the coverage provided — whether under traditional policy forms or specific cyberinsurance policies — is as broad as possible.

Ms. Gates wrote this article with Sarah Turpin, a partner in the dispute resolution and insurance coverage groups in K&L Gates’ London office.