K&R insurance. Kidnap and Ransom(ware)

Businesses are increasingly getting insurance cover for cyber liability incidents. Whilst cover was traditionally focussed on US-style 3^rd party losses relating to data breaches, claims are accelerating in the 1^st party / ransomware and business interruption arena.

Ransomware claims are growing so fast that some underwriters are actually withdrawing from the market! Renewal premiums are increasing at the same time

Under-insurance is a common problem: the costs of containing and restoring after a ransomware incident can quickly exceed cover limits.

When that happens, the insured will often start looking at their other insurance policies. Poorly worded policies can lead to ‘silent cyber’ cover – where a property or other policy unintentionally includes cover for cyber through loose terms.

As property and similar policies generally have much higher cover limits, that expensive ransomware incident that exceeded the cover now looks like it is covered again.

The Merck incident is a case in point. Their property policy had cover to $1.75Bn, including the destruction of computer data, coding and software. One can see that the author of the policy wording intended this to cover the physical destruction of a building containing said data. However, the policy wasn’t specific, so a claim was made for the loss of data as a result of the NotPetya incident.

Unsurprisingly, legal cases ensued, citing war exclusions for property damage.

I’ve come across numerous cases of ‘silent cyber’ cover over recent years, though the one I was most surprised about was a successful claim against a kidnap and ransom policy. K&R is intended to cover employees working in high risk locations being held hostage. It wasn’t intended to cover ransomware!

Some policies offered cover for cyber extortion, with the intention of covering executives being threatened with perhaps disclosure of personal information. Again, through loose wording, cyber extortion terms covered ransomware of data.

Numerous insurance market regulators are driving swift change to policy terms to clarify cyber cover. Cyber will be specifically written out of policies that are not intended to cover it. Silent cyber is being written out. This is primarily to ensure that organisations purchase the right cover for the right risks, and that the insurance market is not exposed to unquantified or systemic risks from cyber.

Learnings for insureds

Assess the potential cost of recovering from a ransomware incident and any likely cascading impacts. Ensure you have specific and appropriate cover for that loss and don’t rely on silent cyber.

If you have good security controls and suitable risk assessments, share suitable evidence with your broker so they can help the underwriter set your premium in light of your reduced risk.

If you do have a ransomware incident and your cyber cover limits aren’t sufficient, it’s worth checking your other policy documents to see if you have cover. However, remember that you’re unlikely to receive cyber specific benefits with those policies such as a suitable incident response service.

But more than anything, assess your risks and buy the correct cover to mitigate them.