Free Enterprise - The FindLaw Small Business Law Blog

Can Kidnapping Insurance Protect Against Ransomware?

Many companies that do business in some dangerous parts of the world have kidnapping insurance to protect their executives and employees. But now that so much of our commerce and data is online, the whole world becomes dangerous and our companies become vulnerable to ransomware attacks.

So if hackers "kidnap" your network or your company or customer data and try to ransom it back to you, can kidnapping insurance help?

Cyber K&R

Asreported by Reuters in response to the recent "WannaCry" ransomware attack, some companies who were not already equipped with cyber insurance policies are combing through their kidnap policies to see if they'll cover such an attack:

The kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America.
Companies could also tap them to cover losses following the WannaCry attack, which used malicious software, known as ransomware, to lock up more than 200,000 computers in more than 150 countries, and demand payments to free them up.

Stretching a kidnapping insurance policy to cover a ransomware attack, however, isn't advisable. As Reuters noted, even if the K&R policy will pay out after a ransomware attack, the payouts will likely be smaller than a more traditional cyber insurance policy.

A Cyber Shoulder to Cry On

If cyber insurance sounds foreign or unnecessary to you, think again. As the WannaCry attack demonstrated, ransomware isn't just for multinational internet companies. The WannaCry cryptoworm hit computers running Microsoft Windows that had not been updated with the latest security updates, including hospital systems in Britain, FedEx, and Nissan manufacturing plants. Once the malware gained access to the computer, it would encrypt the computer's data and display a message demanding payment of around $300 in bitcoin within three days, or $600 within seven days. WannaCry was not a targeted attack, and even some individual computers were hit.

That's why your business should consider a comprehensive cyber insurance policy. Having a policy more narrowly tailored to cybersecurity risks like ransomware attacks can mean better protection and bigger payouts if you're the victim of such an attack.

Related Resources: