It was recently revealed that the Hollywood Presbyterian Medical Center paid $17,000 in bitcoins as ransom to hackers who infiltrated and disabled its computer network. This is not the first time hackers have held up a company, and one cybersecurity firm has called 2016 “the Year of Online Extortion.” What makes this breach notable is that it is one of the first public disclosures of a ransom situation, because unlike a traditional data breach where consumer information is accessed, there is no regulation requiring companies to notify anyone when their computers have been disabled and rendered unusable. This is an unnerving reminder that hackers are increasingly using ransomware to attack against companies, and a reminder to revisit your insurance needs.
And to be certain, having your network and operations systems frozen would cripple just about any company. The software hackers deploy is quickly evolving, but the source of entry into companies remains the same: employees. Hackers send e-mails that attach malicious code that searches the recipient’s computer system, all the while putting encryption on the operating system. How do companies defend themselves? Take whatever steps necessary to solidify defenses from hackers and ransomware, and, if possible, have redundant backup systems and resiliency measures that will keep your business running after a hack. Regardless of your defenses, now is the right time to address insurance options that can help companies recover some or all of their losses.
There are three aspects of the potential losses arising from a ransomware attack: 1) losses from the business shutting down, 2) expenses incurred to address and remedy the attack, and 3) any ransom payments issued to the extent the hack cannot be resolved. But as Allen Stefanek, the CEO of Hollywood Presbyterian pointed out in a letter issued by the hospital, option #3 is oftentimes the most efficient way to handle the problem: “The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key.” While certain of these expenses might traditionally be covered under a property or other first party policy, or perhaps even a kidnap and ransom policy, insurers are increasingly adding exclusions to those policies and essentially requiring companies to purchase cyber insurance for such events.
There are two very important things for companies to understand about those cyber policies from Mr. Stefanek’s quote. First, insurance for the ransom payments themselves is becoming increasingly important, and second, ransom payments are not always covered in the base form of the policy. Cyber policies are equipped with a variety of coverages, and there can be sublimits for ransom payments. But those are not always present. The lesson is timeless: read the policy carefully because some companies will only add this ransom coverage by endorsement.