Cyber extortion and ransomware attacks made headlines across the globe this summer. In May, the WannaCry virus infected hundreds of thousands of computers worldwide. In June, the NotPetya ransomware attack shut down hundreds of thousands of additional computer systems across the globe. In July, an anonymous hacker who called himself “Mr. Smith” and “Little Finger” claimed to have stolen 1.5 terabytes of confidential information from HBO, including unreleased Game of Thrones episodes, and demanded a multimillion-dollar ransom payment to prevent its release. These attacks highlight the importance of one of the lesser known areas of cyber insurance: cyber extortion coverage. Here is what you need to know about cyber extortion coverage, including best practices and potential pitfalls for companies exposed to cyber extortion risk.
Cyber Extortion Coverage
Although the specific policy wording varies from policy to policy, many cyber policies provide coverage for extortion-related expenses and payments paid by the policyholder as a result of a cyber extortion threat. A sample insuring agreement is shown below:
The Insurer shall pay Extortion Expenses and Extortion Payments actually paid by the Company as a direct result of a Network and Data Extortion Threat that occurs during the Policy Period, that is reported to the insurer in accordance with [the policy’s notice provisions], and to which the Insurer consents in writing prior to the offering of such reward.
“Extortion Expenses” are defined to mean “the reasonable and necessary expenses incurred by the policyholder that are attributable to a Network and Data Extortion Threat,” but certain types of expenses may be excluded from that definition, including “any costs or expenses to correct any deficiencies, identify or remediate Software errors or vulnerabilities, or costs to update, replace, modify, upgrade, restore, maintain or improve any security system of Computer System of the Company.”
“Extortion Payments” are defined to mean:
monies paid to a third party whom the Company reasonably believes to be responsible for a Network and Data Extortion Threat; provided that:
- the Insurer’s prior written consent is obtained prior to making such Extortion Payments; and
- such Extortion Payments are made to terminate the Network and Data Extortion Threat.
“Network and Data Extortion Threat” is defined to mean:
a credible threat or connected series of credible threats made by a natural person to an Insured where such natural person:
- introduces or threatens to introduce Malicious Code into the Computer System of the Company;
- interrupts or threatens to interrupt the Computer System of the Company through a Denial of Service Attack;
- disseminates, divulges or improperly utilizes or threatens to disseminate, divulge or improperly utilize any Non-Public Personal Information or Confidential Corporate Information in any format; or
- engages in Cyberterrorism.
“Confidential Corporate Information” is defined to mean:
Corporate information, in any format, that has been provided to the Insured by a third party which is not available to the general public and is subject to a mutually executed written confidentiality agreement or which the Insured is legally required to maintain in confidence.
Best Practices and Potential Pitfalls
Cyber policies typically require a policyholder faced with a cyber extortion threat to notify its insurer and seek its insurers’ consent before making any extortion-related payments. Although the policy language quoted above does not expressly provide that the insurer’s consent may not be unreasonably withheld, an insurer generally owes its policyholder a duty of good faith and fair dealing, so a policyholder has a very good argument that an insurer may not unreasonably withhold its consent to a payment that a policyholder believes to be reasonable and in its best interests. That said, a policyholder should try to negotiate policy wording which expressly states that the insurer may not unreasonably withhold its consent. In any event, the larger the ransom payment demanded, the more incentive an insurer has to withhold its consent and contest coverage.
An insurer may also argue that the extortion-related expenses and/or payment fall outside the cyber policy’s insuring agreement. An insurer, for example, may argue that a threat to disclose the policyholder’s own confidential information (as opposed to third-party information in the policyholder’s possession) is not an extortion-related threat within the meaning of the policy. A threat to disclose the policyholder’s own confidential information, however, is just as much of a cyber extortion risk as a threat to disclose third-party information in the policyholder’s possession. A policyholder such as HBO, for example, would want its cyber insurance to provide coverage for any extortion-related expenses it incurs in connection with a threat to disclose its own creative content. Accordingly, companies purchasing cyber extortion coverage should try to negotiate policy wording that clearly covers this type of threat regardless of whether the information at issue is third-party information.
The requirement that an extortion threat be made by a “natural person” may also prove problematic. For example, it may be difficult to prove that a threat was made by a “natural person” when the identity of the hacker or group of hackers is unknown (as is often the case). An insurer may also argue that a cyberattack sponsored by a nation-state does not satisfy the “natural person” requirement. It should not matter whether the “person” making the threat is a nation-state, a hacktivist organization or a line of computer code, but the “natural person” requirement may cause unnecessary problems that can be avoided by removing that language during the policy negotiation process.
It is also important to remember that a cyber extortion attack may trigger other types of coverage, including business interruption coverage. Business interruption coverage can compensate your company for lost revenue or earnings resulting from a cyber attack, including a cyber extortion attack. This can be important coverage if the cyber extortion attack threatens to shut down your company’s computer systems or otherwise interferes with normal business operations.
A company that understands the potential pitfalls associated with cyber extortion coverage can put itself in the best possible position to secure coverage in the unfortunate event that it falls victim to cyber extortion. Given the dramatic increase in ransomware attacks and other forms of cyber extortion over the past few years, and recent increases in the amount of money demanded, companies exposed to this risk would be wise to think about their cyber extortion coverage sooner rather than later.