The popularity of ransomware is on the rise, and programs like Cryptolocker and TorrentLocker do more than just lock a screen — they search for files by extension (e.g., pdf, doc) and encrypt them, withholding the encryption key until ransom is paid. Several hospitals have made the news as victims of this type of malware. In February, Hollywood Presbyterian Medical Center was locked out of its EHR systems for a week while it negotiated, internally and externally, whether to pay what ended up being a ransom of $17,000 in bitcoin. The amount was paid, and that bitcoin address is certainly being heavily tracked — more business for bitcoin-laundering services like BitMixer or Bitcoin Fog — but would insurance reimburse the hospital for paying the ransom? Would traditional forms of extortion or kidnapping insurance cover these digital demands?
First-party liabilities like cyber extortion and network interruption may be covered by cyber insurance policies, but the deductibles are usually high, and would likely be above $17,000. They also may have an “acts of foreign enemies” or “government acts” exclusion that would limit reimbursement if the ransomware was distributed by hackers tied to a foreign government. As attribution is already difficult without adding monetary incentives, the time and resources necessary to definitely attribute an attack could also exceed the amount paid as ransom. The relatively small ransom amounts demanded are by design — the malware designers aim to infect as many computers as possible, and to be paid as quickly as possible. By keeping ransoms to a few hundred or a few thousand dollars, they hope victims will pay quickly rather than give up access to their files for days or weeks while in pursuit of an anti-ransomware tool.
Are the hackers correct in that assumption? In a survey of 200 IT professionals by the Cloud Security Alliance, 24% said they would pay a ransom if faced with ransomware, and willingness to pay was correlated with possessing cyber insurance. That number sounds accurate — when faced with a robber without a weapon, only 24% of people give in without a fight—but could be higher in the moment as the potential victims include hospital patients, or customers, not just the individual whose computer was first affected. Paying the ransom isn’t only one person’s decision, either; cyber insurance policies that cover extortion expenses frequently require advance notification, the consent of at least one executive, and no public disclosure of cyber extortion coverage (which might lead to more of the insurer’s customers being specifically targeted).
Recommendations to mitigate damage from ransomware include backing up your data, storing those backups on machines not connected to the internet, and not connected to the computers they back up, and storing at least one backup in a separate physical location. While this redundancy means more hardware costs, insurers may require these protections before providing cyber extortion insurance, which would greatly lessen the likelihood of ransomware claims. Insurers may also want to know that a plan is in place if a ransomware incident occurs: who would be notified and when, who would have decision-making authority to pay or not pay a ransom, and who would be responsible for coordinating with authorities to ensure a ransom payment can be tracked as long as possible.
If your organization decides that it doesn’t negotiate with digital kidnappers, and would rather eat the costs of purchasing new hardware (potentially reimbursable with applicable insurance) than pay a ransom, there is a third option: security companies like Kaspersky, Malwarebytes, Cisco, Norton, and TrendMicro are developing tools to combat popular types of ransomware. These tools are free and can be deployed via USB, and an insurer presented with a ransomware claim will look to see that a client tried these methods before paying a ransom.
Join the conversation on Medium