Ransomware and Cyber Extortion: Are These Cybercrimes Covered Under Your Cyber Risk Insurance Policy?

Plus:  Beware Of A New Microsoft Tech Support Ransomware Scam!

Ransomware attacks, a relatively new type of cyber extortion, are on the rise.  On Friday, May 12th, the largest ransomware attack ever recorded, the so-called WannaCry attack, began making headlines across the globe.  What started with one innocent and unsuspecting person using a computer in Europe quickly spread to more than 300,000 computers worldwide, ultimately infecting systems running Microsoft Windows in more than 150 countries, with India, Great Britain, Germany, China, Russia, and Japan being hit the hardest.

Ransomware is a type of malicious software (or “malware”), commonly delivered in a trojan email attachment, which automatically encrypts files on an infected computer.  The user of the computer is immediately denied access to those files and is then informed that the files can only be accessed again with a decryption code that the cyberextortionist will provide, but only after receiving a ransom payment.  In the WannaCry attack, the hackers demanded $300 from each user to release control of their encrypted files.

According to the highly-regarded Verizon 2017 Data Breach Investigations Report, which provides a detailed analysis of nearly 2000 data security breaches from the prior year, malware continues to be a mainstay of cybercriminal activity.  Ransomware rose to the fifth most common type of malware utilized by cybercriminals - a 50% increase from last year’s report.  A more concerning statistic, however, is this: email was the vector through which 80% of ransomware was installed. This should alarm all businesses, both large and small, because no matter how much emphasis is placed on security awareness and training, individuals will continue to open suspicious email attachments and follow links to websites infected with malware.

Insurance Considerations

In light of the WannaCry cyber-epidemic and the significant increase in ransomware incidents, businesses are well-advised to review all of their insurance policies to determine what, if any, coverage may exist for cyber extortion.  The obvious place to start is with the company’s cyber risk insurance policy, assuming the company chose to purchase one.  But a comprehensive analysis should not be limited to the company's cyber insurance policy. Technology patch management, cyber security, and employee training are critical and imperative to good cyber hygiene.

Most cyber insurance policies are modular, which means the buyer may choose from a menu of available coverage options.  And because cyber insurance is an evolving product and still a relatively new offering, the terms and conditions set forth in most policy forms, as well as the types and scope of the coverage being provided, are negotiable.  Set forth below are various options to consider.

• Basic Coverage.  While every cyber policy contains different language, it is fair to say that a basic policy typically provides both first-party and third-party coverage for cyber incidents.  First-party costs generally include forensic investigation of the breach, legal advice to determine the company’s notification and regulatory obligations, proper notification and credit monitoring for affected persons, crisis management, and public relations expenses. Third-party coverage typically includes the costs associated with civil lawsuits, judgments, settlements, and regulatory penalties resulting from a cyber incident.  The scope of first-party and third-party coverage can be expanded to provide coverage for many different risks, so long as an additional premium is paid.  Several types of coverage fall within this category, including ransomware and cyber extortion protection.

• Ransomware and Cyber Extortion.  Generally speaking, a basic cyber insurance policy does not include coverage for ransomware or any other type of cyber extortion.  Obtaining this type of coverage typically requires the purchase of a separate endorsement to the policy or a separate insuring agreement, often in the form of a kidnap and ransom policy.  In other words, if you want insurance coverage for ransomware incidents, you have to pay an additional premium to get it.  Considering the increasing ransomware threat, businesses should seriously consider obtaining this additional coverage if they have not already done so.

• Business Interruption.  Business interruption coverage is designed to replace the business income lost as a result of a cyber incident that interrupts the general operation of a business.  As one might expect, a ransomware incident could result in a significant  and lengthy interruption to any company’s ability to conduct business, at least until the ransom is paid.  Coverage for business interruption in the event of a ransomware incident is not generally included in basic cyber coverage forms.  Instead, such coverage must be added by an endorsement to the existing cyber policy or the purchase of a separate insuring agreement.

• Contingent Business Interruption.  Contingent (or dependent) business interruption coverage reimburses a company for lost profits resulting from a business interruption suffered by one or more of the company’s suppliers or third-party vendors.  For example, many companies are now utilizing the cloud as a critical part of their business infrastructure.  Some believe their files are safe from ransomware and other viruses merely because they have uploaded them to a cloud storage service like Dropbox, Google, or iCloud.  But that is simply not true.  A cloud storage provider (as opposed to a cloud backup service) is no less susceptible to cyber extortion than the companies it serves.  If your company’s cloud storage provider falls victim to ransomware, your business could come to an immediate halt.  Unless you chose to purchase contingent (or dependent) business interruption coverage, you will have no insurance protection for any profits you lose as a result of the ransomware attack on one of your critical service providers.  

In light of the recent surge in ransomware attacks, every company should take a closer look at their insurance policies to get a complete and accurate picture of the scope of their protection.  If you have not already done so, you should consider purchasing a stand-alone ransomware policy and coverage for business interruption and contingent business interruption, none of which is a component of basic cyber risk insurance.

Additional Forms of Cyber Attacks Worth Noting

Although ransomware attacks will continue to be a significant threat, businesses and other organizations must implement and maintain a comprehensive strategy for identifying risks and adjusting their security efforts accordingly to ensure they are as effective as possible.  With that purpose in mind, companies should take note of some other key takeaways from the Verizon Report:

• Smaller Companies Are A Target.  Of the nearly 2000 breaches analyzed for the Report, 61% involved businesses with fewer than 1000 employees.

• Weak, Stolen, or Compromised Credentials.  With more than one billion credential records stolen in 2016, weak, stolen, or compromised credentials remain the leading vulnerability.  Continuing to use simple username and password authentication significantly increases the likelihood of a breach.  Companies that allow external employees or customers to login to their network should be particularly concerned about this vulnerability.
• Pretexting and Social Engineering.  The use of pretexting is on the rise.  Pretexting is a form of social engineering in which an individual uses deception to obtain confidential information.  It often involves a scam in which the cybercriminal pretends to need personal information in order to confirm the identity of the individual to whom he is speaking.  This tactic is predominantly used to target employees who have the authority to transfer money or other financial information (e.g., employee W-2 forms).  The primary attack vector is email communication.

Insurance Consideration.  It is important to note that, depending on the circumstances of the case, cybercrimes committed through social engineering may not be covered under the terms of a basic cyber insurance policy. Social engineering incidents may, however, be covered under a company’s Cyber Crime Endorsement or separate crime insurance policy. Crime insurance is designed to cover losses resulting from criminal acts such as robbery, burglary, and other forms of theft.  One common example is where a cybercriminal uses a well-planned social engineering scam to trick an unwitting employee into believing that the company needs him or her to wire money to a bank account which, unbeknownst to the duped employee, is actually controlled by the cybercriminal. This scenario may very well constitute a “theft” that triggers coverage under the company’s crime policy. That said, both the crime policy and the cyber policy should be reviewed to determine the company’s true scope of coverage for social engineering crimes.  The company may learn that it has no coverage at all for such cybercrimes because it was a voluntary release of funds. On the other hand, the company may learn that it has been paying a premium for coverage under both policies, which may or may not be necessary.  

• Cyberespionage.  Cyberespionage is now the leading cause of confirmed breaches in manufacturing, professional services, education, and the public sector.  Much of this can be attributed to the proliferation of proprietary research, prototypes, and confidential personal data, all of which are increasingly valuable to cybercriminals.  Cyberespionage has also been used to gather information which could be used to conduct insider trading.

• Phishing is Still a Popular Tactic.  Despite an increase in security awareness training, individuals continue to open suspicious email attachments and follow links to websites, both of which can result in the installation of malware, including ransomware.

WARNING: The Microsoft Tech Support Ransomware Scam

According to Stealthcare Cyber Intelligence, a global cyber security firm, a new pretexting scam is emerging in the wake of the global WannaCry ransomware attack.  Cybercriminals are calling unsuspecting Windows users, claiming to work for Microsoft, and falsely stating that the user’s computer may have been infected with the WannaCry ransomware and may need to be “fixed.”  The cybercriminals then use social engineering to convince the user to allow remote access to his or her computer.  

Once remote access is established through a series of steps, the cybercriminals use a “patch” to infect the computer with malware.  Once that is accomplished, they falsely claim that the user’s computer has, in fact, been infected by the WannaCry ransomware and then demand $400 to remove it.  Effective use of social engineering, including exploiting the user’s anxiety over news coverage of the WannaCry crisis, can ultimately result in $400 payments to the cybercriminals.