According to FBI data, cyber-criminals are on pace this year to collect approximately $1 billion through cyber extortion. This is a practice in which extortionists threaten to cripple a computer system or obtain and/or release confidential information unless their demands (usually for money) are satisfied. Although much of this money is coerced from individuals in increments of several hundred dollars, more and more organizations are finding themselves in cyber extortionists’ crosshairs, including documented incidents against local governments, schools, hospitals and businesses in a range of industries. As cyber extortionists increasingly target organizations rather than individuals, security professionals fear the costs of cyber extortion incidents could dramatically increase.
Cyber extortion can take various forms, but ransomware is by far the most common variant. Ransomware is a type of malicious software that, when launched within a computer (usually from an e-mail opened by an unsuspecting employee), encrypts data or locks access to critical applications. An anonymous demand for payment then overlays the computer screen demanding payment, usually in bitcoin—a form of electronic currency that is difficult to trace—in exchange for the decryption key. In February, a California hospital reportedly paid $17,000 in bitcoin after ransomware hobbled its computer systems and prevented employees from sharing communications electronically for 10 days.
Other forms of cyber extortion include denial-of-service attacks that disrupt networks until payment is made, or threats to disclose customer data or other confidential information unless a specific demand is met. For example, in 2007, Nokia reportedly paid millions of euros to cybercriminals to prevent the release of an encryption code that could have compromised the security of its customers’ phones and, in 2015, a hacker released customer data from a bank in the United Arab Emirates after it refused to pay a bitcoin ransom of about $3 million.
A cyber extortion threat can exert enormous pressure on an organization to decide whether to satisfy an extortion demand, and there are strong reasons for refusing to do so. Law enforcement agencies discourage paying ransoms, for starters, and there is no guarantee that the extortionists will remove the threat if payment is made, or the threat accompanying the demand may be preventable or lack credibility to begin with.
In some instances, however, an organization may determine that the cost of paying a ransom pales in comparison to the potential operational, reputational and other losses that could result if the demand is not met. According to a Cloud Security Alliance survey of more than 200 IT security professionals worldwide, 24% of companies would be willing to pay some amount of money as a ransom to prevent a cyberattack, and 14% would be willing to pay a ransom of $1 million or more.
To help manage cyber extortion exposures, many organizations have purchased cyber insurance policies or other types of policies that specifically cover cyber extortion. But the terms of this coverage are relatively new, often not well understood or developed, and vary from one policy to another. To make the most of this coverage and avoid surprises, insureds should familiarize themselves with the specific terms of their policies and be prepared to engage their insurer if and when a cyber extortion event occurs.
As with any type of unexpected event that an organization may face, insureds threatened by a cyber extortion incident should consider all potentially applicable insurance policies and coverages, not just cyber extortion coverage. Depending on the specific situation, a cyber extortion event may trigger various provisions in a cyber insurance policy, such as coverage for forensic investigation costs, business interruption and extra expense, and data restoration. Such an event could also trigger coverage under other types of insurance, such as kidnap and ransom or commercial crime policies.
Cyber extortion coverage, however, is specifically marketed to cover losses that an insured incurs in response to a cyber extortion incident, and therefore may offer the best opportunity for an insured to secure a favorable coverage determination from its insurer. As a result, organizations that are concerned about cyber extortion should familiarize themselves with their cyber extortion coverage and pay particular attention to the following four policy terms: trigger of coverage, notice requirements, consent requirements and types of covered loss.
Trigger of Coverage
Cyber extortion coverage in many cyber insurance policies is triggered when an insured receives a threat in which the extortionist threatens to either attack the insured’s computer system or to release confidential information in the insured’s possession for the purpose of demanding something of value, usually money, from the insured.
As to the first scenario, policies often employ different wording to define the type of attacks that, if threatened, trigger coverage. Some policies simply refer to an intentional attack against the computer system while others may enumerate a list of malicious attacks that negatively impact the computer system. Some polices that list specific types of attacks are more comprehensive than others. Whatever the approach, the breadth of the trigger may depend on definitions of computer system or other terms defined in the policy that appear in the trigger wording. The policy wording should be broad enough to encompass any type of threat to corrupt, damage, destroy or restrict access to the computer system, including programs and data stored in the system.
The good news for insureds is that cyber extortion coverage typically does not require an actual violation of computer security—the wording in many policies appears to contemplate threats to commit future attacks. Whether the demand is made to avoid a potential attack or to end an ongoing attack, such as ransomware or denial of service, should make no difference in terms of coverage, and policies that suggest otherwise should be avoided.
The second type of threat that triggers coverage—the threatened disclosure of confidential information—may seem to overlap the first type, but this is not always the case. For example, criminals may have stolen confidential information months prior to launching their extortion scam or obtained confidential information by means other than accessing an insured’s computer system. (That said, some policies do tie cyber extortion coverage to an event involving threatened or alleged unauthorized access to an insured’s computer system.)
Insureds may expect that a threat to disclose their own confidential information would trigger coverage. Many cyber policies, however, draw a distinction between the insured’s own information and that of third parties in the insured’s possession. Such policies may only cover threats to disclose customers’ personally identifiable information or a partner’s trade secrets. Insureds would be better served by policies for which the trigger of coverage for a cyber extortion incident includes a threat to disclose any confidential information in the insured’s possession, not just a third party’s confidential information.
In addition, some policies may limit coverage to threats specifically seeking money. Although cyber extortionists demand money in most instances, demands could seek intellectual property or some action by the insured. For instance, hackers threatened to and ultimately did release the personal information of 37 million Ashley Madison users after the company ignored their demand to shut the website down.
To be most effective for the types of cyber extortion risks businesses are now facing and may face in the future, the trigger wording of cyber extortion coverage should be drafted in broad terms to encompass any type of cyber or disclosure threat made for the purpose of seeking any type of action.
Once cyber extortion coverage is triggered, the insured must provide notice to the insurer. But notice may not be the first thing that comes to an insured’s mind in the emergency atmosphere of a cyber extortion event. Notice requirements differ considerably, for example, some policies require the insured to report a cyber extortion threat in writing “as soon as practicable” and/or within a certain number of days while other policies require “immediate” notice. In some policies, the notice requirements specific to the cyber extortion coverage differ from those applicable to other coverages in the same policy. A failure to provide timely notice can jeopardize coverage. To provide insureds with breathing room to handle the emergency and evaluate their coverage rights, policies should require the insurer to demonstrate that it has been actually prejudiced by an insured’s late notice before such notice can serve as a basis for denying coverage.
Some policies also require the insured to notify law enforcement authorities of a cyber extortion threat. Although many facing a cyber extortion incident do not need prompting to contact the police or the FBI, insurers appear concerned that some insureds may be reluctant to involve authorities. In light of the variation in notice requirements among or even within policies, it is important for insureds to understand the notice requirements applicable to the cyber extortion coverage in their policies.
The most distinctive feature of most cyber extortion coverage is the consent requirement. Before satisfying a cyber extortion demand or incurring other costs in response to a cyber extortion event, many policies require an insured to first obtain the insurer’s approval to pay or incur costs. But many policies do not delineate under what circumstances an insurer must give its consent. Some policies suggest that the threat must be “credible” or “immediate,” but do not define what such terms mean. What constitutes a credible cyber extortion threat may differ from one case to another.
Widespread claims experience data for cyber extortion coverage is not available, and many insurers may be willing to readily consent to the payment of cyber extortion demands. Circumstances may arise, however, where an insured and insurer do not see eye to eye about whether a threat is credible or immediate or, even if there is agreement, whether, when or how to satisfy an extortion demand. There may also be disagreements over whether cyber extortion coverage under the particular wording of a policy is triggered. In general, insurers must have a good faith basis to withhold consent, but no court decisions have addressed the consent requirement in the context of cyber extortion coverage. At a minimum, policies should state that the insurer’s consent may not be unreasonably withheld.
The key to securing coverage and reducing potential delays in obtaining the insurer’s approval is understanding from the outset that the insured may have to engage its insurer while the cyber extortion event is unfolding, without knowing all of the facts. The insured must then convince its insurer to consent to the costs of retaining consultants and satisfying the extortion demand. Insureds should promptly notify the insurer and law enforcement of the cyber extortion threat and quickly retain qualified specialists (with the insurer’s consent, if required by the policy) to investigate a cyber extortion threat with the aim of determining and documenting its credibility and immediacy. Law enforcement may also play a role in evaluating the threat.
If the insurer’s consent is not forthcoming, the insurer may be willing to consent while reserving its rights to challenge coverage on other grounds. This is less than ideal, but it is an approach that has been followed in other insurance contexts where, for instance, insurers have expressed reservations about consenting to the settlement of a lawsuit, as in U.S. Bank National Assoc. v. Indian Harbor Insurance Co.
Finally, cyber extortion coverage differs from policy to policy in terms of the types of losses covered. In its most basic form, it covers the loss that an insured incurs to pay a cyber extortion demand. The coverage in some policies, however, broadly applies to any expenses that an insured incurs in response to a cyber extortion event, including the costs of investigating and assessing such a threat.
Cyber extortion coverage is often written on a reimbursement basis. Thus, the insured typically must pay for the costs of investigating and assessing the threat and may be responsible for paying the extortion demand before the insurer reimburses the insured for such payments. For many insureds, coverage on a reimbursement basis introduces the headache of marshalling resources to retain consultants to address the threat and to pay the demand, as well as obtaining bitcoin, the electronic currency typically demanded.
Cyber extortion coverage also is often subject to a retention. Low-dollar extortion demands may not exhaust the retention, but the other costs an insured incurs in response to the incident may. Although an incident might not seem very costly at first, insureds should still consider providing notice to the insurer in case the costs ultimately add up and exceed any applicable retention.
Some policies appear to tie coverage for the cost of investigating a cyber threat to whether the insured actually satisfies the extortion demand. Such a structure is disadvantageous to an insured that expends significant sums to investigate a threat only to decide against paying the extortion demand. Investigation expenses should be covered even if the insured ultimately decides against paying the ransom.
Cyber extortion coverage can be a valuable tool for mitigating losses arising from the growing cyber extortion threat to businesses and other organizations. To fully realize the benefits of this coverage, however, risk managers and in-house counsel should familiarize themselves with the particular terms of their organization’s coverage and understand the steps they need to follow to secure and maximize their coverage.