How insurers are rethinking ransom coverage

Ransomware has long been a thorn in the side for insurers, particularly in recent years.

And, although the market will continue to see rate changes in reaction to ransomware losses over the next year, “insurers will be equally focused on ensuring their portfolios are resilient against any unanticipated changes in the threat landscape and future systemic losses,” said Lindsey Nelson, cyber development leader at CFC Underwriting.

In particular, she added, those who make significant investments in their in-house technology claims solutions will be best equipped to handle severe ransomware events.

Unfortunately, ransomware is not always covered in cyber insurance policies. Coverage depends on the overall risk and industry appetite of the insurer, said Danion Beckford, underwriter of professional liability with Burns & Wilcox Canada.

Payment of the ransom is really a decision between cyber experts and the insured. However, “industries such as government, higher education, hospitality and law are more likely to pay out the ransoms, as losing the access to the data could be truly detrimental,” Beckford noted.

Nelson said the propensity for businesses to pay ransoms is driven by those who don’t have access to the experts that come with a cyber insurance product. “[These businesses] will often make the decision to pay because they don’t know what the alternative is.”

She said it’s also important to distinguish between coverage for the ransom demand (often under the name ‘extortion’ cover) and coverage that responds to a ransomware event, including forensics, system business interruption and recovery costs.

There is “an increasing perception that the availability of extortion coverage is perhaps fuelling crime or providing criminals with incentive to ask for higher demands,” Nelson said. “In response to that, one of our peers has made the decision to remove the coverage for extortion altogether, and it becomes a topical point of conversation within the market.”

Still, CFC believes removing extortion cover “doesn’t solve ransomware crime, especially when you consider only 15% of businesses buy a cyber insurance policy,” Nelson said. Furthermore, ransom attacks continue to happen even “when we know there are existing regulations in place to ban payments being made to sanctioned entities.”

For Beckford, knowledge is power. Although ransom risks will continue to increase, many of them can be stopped before hackers get in the digital door, he said.

“Insurers must ensure that employees continue to understand the importance and risks associated with cyber threats. As underwriters, we must have an understanding of how often cyber training—on phishing, passwords, and more—is conducted [with] all staff.”

This article is excerpted from the Feb.-Mar. issue of Canadian Underwriter. With files from Greg Meckbach.

Feature photo courtesy of iStock.com/MartialRed