On June 27, 2017, multiple news sources are reporting that a ransomware attack called Petrwrap/Petya reportedly immobilized the computer network of multiple international businesses, including those of a major global law firm, resulting in a complete lockdown of its computers and phone systems, and making it impossible for any work to be conducted. The attack has reportedly crippled networks across many industries throughout Europe and the world. This type of lockdown is precisely the type of situation that many companies fear when seeking cyberliability coverage.
Ransomware is a form of malicious software that blocks access to a victim’s data by locking a system or encrypting data until the victim agrees to pay a ransom. Some versions threaten to delete the data as well if payment is not made. Other forms of extortion include denial-of-service (DoS) attacks that disrupt, or make inaccessible, a company’s network until a specific demand is met. The WannaCry worldwide cyber attack in May 2017 is an example of a DoS attack, and was one of the most widely publicized instances of a ransomware attack, infecting the United Kingdom’s National Health Service and many other governments and companies worldwide. It has been reported that the June 27, 2017, Petrwrap/Petya attack included a demand for a Bitcoin ransom and the following electronic ransom note:
Many cyberliability insurers include coverage for losses incurred as a result of cyber extortion. Policyholders that are the victims of ransomware attacks may potentially face losses that include ransom payments, business interruption costs, and potential third-party suits resulting from encrypted, corrupted, stolen, or disseminated data. In addition, a ransomware attack, even if short-lived or involving a small amount of money or loss, may indicate a larger intrusion into or a problem with a company’s network. Cyberliability policies also often cover the cost of engaging forensic investigators to determine the cause of a cyber attack and terminate the threat, as well as the cost of other professionals, such as crisis management firms, to help contain the fallout from the public disclosure of a cyber attack. Although the amount of a ransom demand may be relatively small compared with the self-insured retentions on many cyberliability policies, in-house risk managers and counsel should carefully consider whether notice to the company’s cyberliability carrier is warranted, given the risk of a larger intrusion and any need to engage outside counsel or professionals to investigate the incident.
Cyberliability policyholders should review their current policies to determine whether they cover ransomware attacks and ransom payments. However, as the cyberliability insurance market continues to evolve in the wake of new and aggressive cyber attacks, policyholders should continue to review the terms and scope of their cyberliability coverage, and seek to negotiate favorable coverage terms that may provide the necessary protection should they be victimized by a cyber attack.
Finally, it is important to remember that a cyber extortion event may trigger coverage under other, more traditional policies, such as kidnap and ransom or commercial crime policies, depending on the circumstances of the event.
As always, it is important to consult with attorneys who concentrate on and are knowledgeable in this area. Reed Smith Insurance Recovery Group attorneys have been at the forefront of this issue, negotiating the placement and renewal of crime and cyberliability insurance coverage, including coverage for DoS and ransomware attacks, and minimizing, or eliminating, any potential coverage gaps for large and small companies.