5 Ways to Manage Ransomware Claims

Chris Giovino , J. Christopher Dineen


March 2, 2020

As cybercrime becomes increasingly sophisticated, risk professionals must work in conjunction with their company’s chief information security officer, general counsel, CFO/treasurer, operations managers and human resources department to adopt a comprehensive approach to manage and respond to cyber-related exposures. Effective preparation is vital and typically involves carefully coordinated and integrated activities, including measures to safeguard technology; insurance that provides adequate risk transfer; and sound forensic, investigative and claims management to facilitate timely and complete recoveries.

Over the past year, organized crime rings around the world have launched a new wave of cyberattacks to shut down companies’ technology infrastructure, websites, operations, and access to funds, records and bank accounts. These criminals then demand immediate ransoms and can cause substantial downtime, reputational damage and, ultimately, business interruption losses. These attacks have targeted institutions and enterprises in all economic sectors and many victims remain in a perpetual state of recovery.

Along with testing and securing your technology infrastructure and diligently evaluating the information security practices of the enterprise’s trading partners and customers, the following five measures can jumpstart your efforts to deal with these serious threats:

1. Form a multi-disciplinary team to deal with cyberextortion risks.

Even if you already have a team to deal with potential cyberrisk issues and employee theft/occupational fraud, you still may have to add a few new members to address ransomware and cyberextortion issues. In addition to risk management, the team should include at least one key executive from finance, information technology, security, legal, human resources, operations, compliance and communications.

Be sure to also include representatives from the company’s insurance broker and carrier providing cyber, fidelity and property coverage, claims consultants, outside counsel, and external information security or forensic specialists. Further, develop a rapport with local federal investigative agencies, such as the FBI or Secret Service. 

Your external assets should be ready to respond to a threat with an agreement, contract and/or retainer for immediate delivery and action.

In examining the firm’s potential vulnerabilities to attacks, revisit technology-related exposures and logistical risks, including any and all mobile phone, tablet and laptop usage and password protection protocols and measures to monitor employee compliance. In addition, double-check restrictions on employee access to financial funds, bank and credit accounts, and customer, client and employee personal identifiable information. 

2. Review your insurance coverages.

Conduct a detailed assessment of your insurance protection for ransomware and cyberextortion incidents before attackers strike. Depending on your industry and the nature of your business, different insurance policies may apply to these types of incidents, including commercial crime policies, bankers blanket bonds, computer crime endorsements, cyber and network security policies, kidnap, ransom and extortion insurance, and commercial property insurance.

Selectively communicate those coverage lines within your team of business stakeholders so that they are already aware of risk transfer and possible financial remedies when an incident occurs or a threat is received.

Work with your broker, claims professional and legal advisors to determine if and how your coverage might respond to any ransomware or cyberextortion incident, as well as whether the protection levels are adequate. Your broker may have to revisit this topic with your insurers to determine if coverage extensions or higher limits may be needed. 

Check if your policies offer panel experts, such as law firms, public relations firms, cyber forensics and forensic accountants. Only choose those firms that act on behalf of victims (i.e., the insured). Under these high-stakes circumstances, it is critical that their primary interests are fully aligned with yours.

3. Create an incident response plan.

If you receive a cyberextortion threat or suffer a ransomware attack, your firm will not have time to start figuring out how it might respond. You need to be prepared and know exactly what you want to do.

Cyber criminals typically insist a ransom be paid in bitcoin, often within hours of the request. If it is not paid, the ransom price can go up exponentially. This is where common-sense planning is effective. Before an event, make the decision about whether or not to pay a ransom. If the plan is to pay, consider your limits—and this is where your carrier comes into the discussion. Consider pre-determined input from your trusted cyber experts and law enforcement agents, who likely will be familiar with the criminal actors and the track records of extortion and results.

In addition, be sure to check with your insurers regarding any protocols, guidelines or specific requirements they have established for an insured to respond to a ransom/extortion demand. You should have in place a forensic computer expert, an effective negotiator and a firm with bitcoin resources. 

4. Understand your role in an incident investigation.

This is another area where advance planning is critical, not only to minimize potential damage from an active attack or system breach, but also to avoid repeated attacks. If criminals perceive an entity to be vulnerable, they will often attack in waves.

Your team should know whether, when and how to notify law enforcement as well as which law enforcement agencies to contact in the event of certain cyberattack scenarios.

If internal espionage is suspected, once law enforcement is involved, your enterprise needs to understand and be prepared for all potential implications, including the impact of such investigations on your employees and day-to-day operations. Remember, if a criminal investigation occurs, information flows one way toward law enforcement, which typically cannot share any evidence or information they uncover.

5. Coordinate claims management.

Depending on the type of ransomware attack and whether internal employee involvement is suspected, a number of different insurance policies could respond. While vital, insurance recovery will not be on the minds of those in the “heat of battle.” That is yet another reason advance planning and communication with management and internal team leaders will make the risk professional’s job more manageable and recovery from claims more effective.

In any of these situations, your team must be prepared to triage the incident and prioritize the order in which to contact insurance companies regarding claim notification. Cyber, extra expense, crime and theft, ransom, and business interruption are all possibilities. 

You can expedite this process and potential recovery by working with a claims professional to review potential incident scenarios and assess whether and how different insurance policies will respond.

Along with the initial carrier notifications, you should understand fully what documentation each insurer will require and recognize the corresponding sources for specific information within your organization, including accounting/finance, operations, technology and marketing.

Christopher J. Giovino is managing director of forensic investigation, crime and cyber evaluation risk quantification at Aon Global Risk Consulting. J. Christopher Dineen is director of claims preparation, advocacy and valuation at Aon Global Risk Consulting.

Chris Giovino is managing director of forensic investigation, crime and cyber evaluation risk quantification at Aon Global Risk Consulting.
J. Christopher Dineen is director of claims preparation, advocacy and valuation at Aon Global Risk Consulting.