Will Insurance Cover a Ransomware Attack Against Your Company? - In House
In House - The FindLaw Corporate Counsel Blog

Will Insurance Cover a Ransomware Attack Against Your Company?

Consider ransomware a form of digital kidnapping. Ransomware takes over your computers, encrypts your most essential files, then demands payment or else your data gets it. And such attacks have become increasingly common, especially in industries that hold sensitive information, such as healthcare organizations.

Dealing with these electronic hostage takers can leave computer systems disturbed for days, even weeks, and cost tens of thousands of dollars to rectify. But even if you have cyber insurance, your policy may not cover a ransomware attack.

Ransomware Holes in the Cyber Insurance Coverage

Ransomware attacks fall under your cyber insurance policy's "cyber extortion" coverage and can generally be considered "first-party" or "third-party" coverage, according to Christine Marciano, president of Cyber Data Risk Managers. Third-party coverage would likely leave a company uninsured when they are the victims of a ransomware attack.

Even if your insurance policy covers ransomware attacks made against your company, the deductible may be so high that the company will be stuck paying any ransomware demands out of pocket (should the company decide to pay to decrypt its data). And your coverage may be sub-limited to relatively small amounts, according Kevin Kalinich, the global cyber risk practice leader for Aon Risk Solutions. A $10 million policy may only provide $500,000 for cyber extortion claims, he explains.

Don't Give Up on Your Cyber Insurance Just Yet, Though

Of course, once you're aware of these blind spots in your policy, you can move to correct them. Most cyber insurance policies are highly customizable, allowing your company to create a coverage plan that best fits its risks.

And even a cyber insurance policy that doesn't cover every aspect of a ransomware attack can be highly beneficial in the case of an attack. Case in point: the June, 2016, ransomware attack against the University of Calgary. In a recently piece in Legaltech News, Joseph Saka recounts how the university got hit with a ransomware attack after purchasing a policy that didn't cover the ransom payment:

After the university's systems were affected for more than one week, the university ultimately agreed to pay more than $15,000 for the decryption keys. Although the insurance policy did not cover the ransom payment, the university's vice president of finance and services touted that cyber insurance had been invaluable in helping the university recover from the attack.

[Editor's Note: This piece originally said, incorrectly, that the University of Calgary suffered a ransomware attack a day after purchasing cyber insurance. While the university experienced a phishing attack shortly after its purchase, the ransomware incident occurred months later.]

Related Resources: