Do you have ransomware insurance?  Watch The Fine Print

Do you have ransomware insurance? Watch The Fine Print

Insurance is there to protect the insured from catastrophe, but the insurance company needs protection so that their policies aren’t abused – and that’s where the fine comes in. However, in the case of ransomware insurance, the fine print becomes controversial and arguably undermines the benefit of ransomware insurance.

In this article, we’ll explain why, especially given the current climate, exclusion clauses make ransomware increasingly less valuable — and why your organization should focus on protecting itself instead.



What is secure ransomware?

In recent years, ransomware security has grown as a productive area as organizations try to purchase protection against the catastrophic effects of a successful ransomware attack. Why are you trying to buy insurance? Well, a single successful attack could wipe out a fairly large organization or lead to huge costs – NotPetya alone resulted in a total of $10 billion in damages.

Ransomware attacks are known to be very difficult to protect against. Like any other potentially catastrophic event, insurance companies stepped in to offer an insurance product. In return for a premium, insurance companies undertake to cover a large portion of the damage caused by a ransomware attack.

Depending on the policy, the ransomware policy can cover loss of revenue if the attack leads to disruption of operations or loss of valuable data, if data is erased due to a ransomware event. The document can also cover you in case of extortion – in other cases, you will pay the ransom demanded by the criminal.

The exact payment and terms will of course be specified in the policy document, also called ‘fine lines’. More importantly, the fine print also contains exceptionsIn other words, the circumstances under which the document will not be paid. Herein lies the problem.

What’s wrong with fine print?

Understandably, insurance companies need to protect their premium pools from abuse. After all, it is easy for a representative to buy insurance not because they are looking for protection, but because they already have a claim in mind.

Fine lines are not necessarily a bad thing, they are a way for both parties to define the terms of the agreement so that everyone knows what is expected and what they are entitled to. As part of ransomware security, fine print will require reasonable requirements.

For example, your policy will require you to make minimal efforts to protect your workload from ransomware. After all, it is reasonable to expect you to take precautions in the event of an attack. Likewise, you will likely find a notification clause in your contract that obliges you to inform your insurance company of the attack as soon as possible.

Another common exception related to war is that insurers reserve the right to refuse to reimburse a claim if the damage is from war or acts of war. It is these little characters that are currently worrying for three reasons.

The complexity of war exceptions

When another nation-state attacks, cyber warfare can be used to cause damage outside the usual scope of warfare. Electronic warfare can be incredibly indiscriminate, the parties involved are not necessarily government institutions – they can be a business caught in the crossfire.

Insurance companies have good reasons to try to rule out this massive level of exposure. However, there are some issues. Defining war is the first question – when is an act of aggression considered a war-related activity? Another difficulty is attribution as cyber attackers usually do their best to disguise themselves – it is rare for an attacker to publicly announce their participation in an attack.

When an organization is under ransomware attack, how does the insurance company – or plaintiff – prove that a particular organization was behind an attack, and thus what was the motive for the attack – eg war? How to find out? It is very difficult to find physical evidence or even any evidence behind the attribution.

Just think about how often you are supposed to commit ransomware “groups”

This is the thing. Ransomware insurance claims will not be small – ransom demands are usually in the millions, while damages can be as high as a billion dollars. In an understandable self-interest, insurance companies will try to find every possible reason to refuse to pay a claim.

No wonder, then, that these allegations are being challenged – in court.

It might end up in court

When there is a dispute over an insurance claim, the plaintiff usually turns to the courts. The outcome of these cases is uncertain and may take a long time to resolve. An example is the Merck v Ace American Insurance case. The case referred to the NotPetya attack, in which, in June 2017, Merck suffered a major breach from which it took months to recover, and which the company estimated cost $1.4 billion.

Cependant, lorsque la société a tenté de réclamer sa police d’assurance “tous risques” de 1,75 milliard de dollars, Ace American a initial refusé de payer la réclamation, arguant qu’elle était soumise à une clause d’exclusion “actes of war.” This claim was based on the fact that the Russian government deployed NotPetya in an act of war against Ukraine.

The claim ended up in court soon after, but it took more than three years for the court to reach a decision—a ruling in Merck’s favor on the occasion, noting that Ace American, like many other insurers, had not sufficiently changed the wording. in its policy exceptions to ensure that the insured – Merck – fully understands that a cyberattack launched in the context of an act of war could mean that policy coverage is invalid.

Protecting yourself is your number one priority

The insurance industry knows, of course, that there is a lack of clarity. In a final major step, the Lloyd’s Market Association, a network of influential Lloyds of London members, has released a set of clauses that its members can include in the terms and conditions of e-insurance products.

These clauses are supposed to make every effort to rule out war-related cybersecurity breaches. But, again, there may be points of contention – attribution is the biggest concern.

However, it is increasingly likely that any ransomware insurance you purchase will not be reimbursed when you need it most, especially given today’s increasingly global security environment.

This does not mean that cyber security insurance has no role to play, depending on the premiums and level of coverage, it may be a good option. But it’s an option of last resort: Your internal efforts to protect your IT assets from attack remain your first line of defense—and your best bet.

Best Security: Firm Cyber ​​Security Mode

As mentioned earlier, any ransomware insurance policy will have minimum cyber security requirements – conditions you must meet to ensure your document is paid. This can include things like regular and reliable backups as well as threat monitoring.

We would like to suggest that you go a step further and maximize the protection you put in your tech park. Implement additional layers of protection, especially live patching mechanisms that cannot be restarted like TuxCare’s Enterprise KernelCare or Extended Lifecycle Support for legacy systems that are no longer officially supported. This helps solve the problem.

There is no solution that can give you airtight security, but it can help you achieve the goal of minimizing your risk windows to an absolute minimum, as soon as possible. Taking maximum measures in terms of protecting your systems will help you avoid a situation where you will face a nasty surprise: discovering that your insurance doesn’t cover the loss of your data.

So yes, by all means, buy insurance to cover yourself as a last resort. But be sure to do everything possible to protect your system using all the tools available.

Leave a Comment

Your email address will not be published. Required fields are marked *