Most IT leaders plan for cyber attacks by constructing firewalls and installing security hardware and software. They typically don’t think about cyber insurance. Even so, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom, and assets are missing.
Almost every day there are reports of cyber intrusions, attacks and related security breaches. If your company does not have the right insurance, it could be even more of a disaster. For example, according to regulatory filings, at the time of Target’s cyber breach in 2014, it had about US$100 million in insurance coverage with a $10 million deductible, but that did not even make a dent in the estimated losses of $1 billion.
What company can afford not to have insurance for a potential cyber disaster? Let’s look at some protective measures that can be taken to safeguard your business.
As a practical matter, you or your chief risk officer should examine your current insurance policies to see if you have insurance protection for these cyber risks
- Network and information security liability
- Communications and media liability
- Crisis management event expenses
- Security breach remediation and notification expenses
- Computer program and electronic data restoration expenses
- Computer fraud
- Funds transfer fraud
- E-Commerce extortion
Of course, each business has its own insurance needs, so you will need to make your own decisions about the right coverage. For instance, if your company is in the healthcare industry, specific coverage for HIPAA data should be included.
Inspect Your Policies
Some insurance companies offer cyber protection as an add-on policy to general commercial liability, while other insurance companies include cyber protection in policies for cyber crime.
It would be wise to take a look at what coverage your company has, what is available, and make sure you do have cyber insurance coverage.
Whether cyber insurance is deemed a part of certain GCL policies is the subject of a declaratory judgment complaint brought by Travelers Indemnity Company in the U.S. District Court in Connecticut in October 2014. The Complaint alleged that P.F. Chang’s restaurant chain did not have cyber coverage with Travelers. Because there was no cyber coverage, Travelers claimed “that it is not obligated to defend or indemnify P.F. Chang’s…under GCL insurance policies issued by Travelers.”
It appears that Travelers filed the claim for two reasons. First, P.F. Chang’s had filed a claim for insurance coverage under its Travelers GCL policy for a cyber breach involving seven million customers’ credit and debit cards. Second, class action cases were brought by P.F. Chang’s customers in several states, accusing P.F. Chang’s of failure to prevent the breach, and breach of implied contract.
Interestingly, the breach itself began on Sept. 18, 2013. However, P.F. Chang’s was unaware of the breach until nine months later, on June 10, 2014.
It will be interesting to follow this case to see how the Court views the CGL coverage.
Examples of Cyber insurance Coverage
AIG, one of the largest insurance companies in the world, offers CyberEdge, which provides coverage for security or data breach losses as follows:
- Direct first-party costs resulting from a breach
- Lost income and operating expense resulting from a security or data breach
- Threats to disclose data or attack a system to extort money
- Online defamation
Travelers, another large insurance company, offers CyberFirst, which includes a number of related insurance coverage provisions:
- Technology errors and omissions liability
- Network and information security liability
- Communications and media liability
- Employed legal professional liability
- Expense reimbursement
How to Assess a Cyber incident
Most IT leaders plan for cyber attacks by constructing firewalls and installing related security hardware and software. However, with the widespread proliferation of malware, companies are finding that their IT infrastructure has been attacked, customer data has been compromised, the IT system is being held for ransom and assets are missing. This obviously puts a burden on the IT leadership — CIOs, CISOs and CTOs — to do an immediate assessment of what transpired:
- Identify malware within their networks
- Review logs to see when and where the cyber intruders came in
- Determine what if any data was remotely accessed
- Determine what if any data was sent off the network
- Determine whether backup files can be used to reconstruct encrypted data
Following the assessment, companies may need to report to customers, as well as to their own employees, under a variety of laws in 47 states. Plus, in addition to everything else that violated companies must do, if credit card or banking information has been compromised, they may have a legal duty to provide credit protection services for up to one year. This happens more often than people want to know.
Report the Cyber incident — It May Be a Crime
Of course, it is important that the U.S. government learns about all cyber incidents so they can investigate in order to find the bad guys. The incidents should be reported to the Internet Crime Complaint Center which is a partnership between the FBI and the National White Collar Crime Center. The IC3 defines Internet crime:
…as any illegal activity involving one or more components of the Internet, such as websites, chat rooms, and/ or email. Internet crime involves the use of the Internet to communicate false or fraudulent representations to consumers. These crimes may include, but are not limited to, advance-fee schemes, non-delivery of goods or services, computer hacking, or employment/business opportunity schemes.
If your company has a cyber intrusion, consult your lawyer first to be sure you take the appropriate steps, including making a timely cyber insurance claim.
Once data is held for ransom via ransomware, there’s no guaranteed way to reclaim it — not even payment. Ransomware’s victims typically are those with the least protection. To avoid becoming a target, install strong security tools on your computer and mobile devices, back up data to a reliable cloud service, keep passwords in a secure location, and exercise caution when clicking on links or opening attachments.
Malware is running rampant on the Internet, affecting smartphones, tablets and personal computers. Relatively new malware allows bad guys to encrypt devices until a ransom is paid. Usually the ransom is required in bitcoin, rather than U.S. currency, as it cannot be traced.
What are the legal and other risks associated with ransomware?
Ransomware is largely directed at personal devices and small businesses, particularly since larger companies tend to have better Internet hygiene for their devices — like regular backups and requiring that passwords be stored in a safe place rather than on a device.
Following are just a few examples of the data at risk from ransomware, which can plague you if you cannot immediately cleanse your device, or set up a new one and restore your data with an up-to-date backup:
- Tax information. What if you keep all of your tax records on your hard drive using Quicken or another program? Losing tax records and financial information will make it very difficult to do your taxes, or prove expenses if you are audited.
- Client work. If you are relatively paperless and store your work on the computer, you may lose valuable time or work.
- Passwords. If you are locked out of your bank accounts and other sites, it will take time to restore access, or you may lose access altogether.
How Can You Protect Yourself?
First, take steps to avoid ransomware in the first place. It is, after all, malware. So, do not click on attachments or go to websites if you are not sure of the sources.
Second, get a good app for your smartphone or tablet, and a software program to protect your personal computer in real time. Be good to your devices: Install security tools and regularly run scans. If you think your smartphone or tablet has been infected with malware, think twice about plugging it into your computer.
Third, back up your hard drives to the cloud or to a portable hard drive. Of course, cloud storage has its own set of risks. For example, when you use a free cloud service, you run the risk that your data may not be available when you need it.
What Exactly Is Ransomware?
Ransomware is specialized malware that “immediately makes its presence known by encrypting files and demanding payment for
the keys to unlock them.” The Department of Homeland Security (DHS) issued an alert last fall that includes this description:
“Ransomware is a type of malware that infects a computer and restricts a user’s access to the infected computer. This
type of malware, which has now been observed for several years, attempts to extort money from victims by displaying
an on-screen alert. These alerts often state that their computer has been locked or that all of their files have been
encrypted, and demand that a ransom is paid to restore access. This ransom is typically in the range of [100-300 US
dollars], and is sometimes demanded in virtual currency, such as Bitcoin.
“Ransomware is typically spread through phishing emails that contain malicious attachments and drive-by
downloading. Drive-by downloading occurs when a user unknowingly visits an infected website and malware is
downloaded and installed without their knowledge. Crypto ransomware, a variant that encrypts files, is typically
spread through similar methods, and has been spread through Web-based instant messaging applications.”DHS discourages paying the ransom:
“Paying the ransom does not guarantee the encrypted files will be released; it only guarantees that the malicious
actors receive the victim’s money, and in some cases, their banking information. In addition, decrypting files does not
mean the malware infection itself has been removed.”
Notwithstanding DHS’ advice, the Dickson County (Tennessee) Sheriff subsequently paid a $500 bitcoin ransom to get back files on a corrupted computer, after consulting the Tennessee Bureau of Investigation and the FBI. Paying the ransom, they concluded, was the best way to deal with the problem at hand.
Dell SecureWorks last summer issued a report about CryptoWall Ransomware.
Between March and August 2014, “nearly 625,000 systems were infected with CryptoWall. In that timeframe, CryptoWall encrypted more than 5.25 billion files,” it states.
This type of ransomware is run by botnet operators, so there is no pattern to suggest which victims might be targeted for attacks.The report notes the following:
“Ransoms ranging from $200 to $2,000 have been demanded at various times by CryptoWall’s operators. The larger
ransoms are typically reserved for victims who do not pay within the allotted time (usually 4 to 7 days). In one case,
a victim paid $10,000 for the release of their files.”
Bromium recently released a report entitled “Understanding Crypto-Ransomware — In- Depth Analysis of the Most Popular
Malware Families.” Its introduction makes the following observation:
“This threat is called crypto-ransomware (ransomware) and includes at least a half-dozen variants, including
CryptoLocker and CryptoWall. Ransomware shows no sign of abating since traditional detection-based protection,
such as antivirus, has proven ineffective at preventing the attack. In fact, ransomware has been increasing in
sophistication since it first appeared in September 2013, leveraging new attack vectors, incorporating advanced
encryption algorithms and expanding the number of file types it targets.”
Ransomware is a rapidly growing problem, and there is not yet a solution.
Until a solution to fully protect against malware is found, traditional advice still applies: Protect your computers and other devices with antimalware apps and software, back up regularly, and store your passwords in a safe place.