Ransomware is taking the world by storm; does insurance respond?

by Butler Weihmuller Katz Craig LLP
Contact

On June 27, 2017, the world had its second major ransomware attack in two months, and experts are predicting more to come.   The first, named WannaCry, began May 12, and quickly spread to over 400,000 machines, the vast majority of which were using outdated Windows operating systems. Within one day the virus was in 150 countries.  Within four days the damages were estimated at over a billion dollars.  So far only around $130,000 has been paid into Bitcoin accounts, and none of the money has been touched.  Indeed, it is unlikely the criminals will be able to access the money without being traced. 

Again on June 27, 2017, the world was hit with another ransomware attack, a variant of Petya a known ransomware, aptly named NotPetya.  On day one, 80 companies in Russia and Ukraine were affected.  Within one week it hit 2,000 users in Russia, the European Union, the United States, Asia, and Australia.  This attack used a more sophisticated virus, locking entire computer systems, and unlike WannaCry there is no kill switch, a successful device that researchers developed to stop the spread of WannaCry.  The virus affected banking, government, airports, and corporations.  Even the Chernobyl plant was affected, where radiation monitoring had to occur manually.  This attack, which only demands 300 bitcoins to unlock data, was reportedly not designed to make money, but only to cause mayhem.  Some are calling it more of a cyberweapon than a ransomware.  Indeed, there is no way to pay the ransom any longer as the emails attached to the bitcoin accounts were shutdown.   

Both of these attacks exploited outdated software which allowed the virus to spread through networks to any vulnerable computer.  The hacking tools permitting the criminals to continue their efforts were reportedly leaked from the NSA and, most importantly, impacted companies that continue to delay system-wide updates to their networks.  According to experts, ransomware is growing at a yearly rate of 350%.  Damage costs from Ransomware in 2017 are estimated to exceed $5 billion, including possible loss of data, lost business income, investigation, restoration, business interruption, and reputational harms.

Companies have experienced business income losses from these recent ransomware cyber attacks. Unfortunately, there will be more attacks in the future. Can the companies which have suffered these losses turn to their insurers and expect to be covered for these losses? The answer will depend on the type of policy the company purchased, its terms and conditions, and the specific facts of each claim.

Cyber policies

Numerous insurers offer cyber insurance, either as stand-alone polices or via an endorsement. The policies’ coverages, terms, and limits may vary. There is no standard cyber insurance form. If a company has a cyber policy, and suffers a loss from a ransomware event, look carefully at the policy’s coverages to see if coverage is triggered in the first place in light of the facts. If coverage is triggered, then examine the exclusions, as one or more may apply in light of facts of a particular claim.  It may be that the policy has a malware or ransomware exclusion, which means there is no coverage. If there is coverage, then look to the policy to determine the types of costs recoverable, and also be cognizant of limits, sublimits, and policy conditions.

A cyber policy typically provides first-party coverage for certain costs an insured company may incur because of a breach or other covered event. These costs may include: (a) investigation costs, including computer forensic services; (b) customer notification costs; (c) costs for data restoration, re-creation and/or system recovery; (d) crisis management or public relations costs; (e) business income losses; and (f) legal fees. If a cyber policy does provide coverage for an insured’s business income losses caused by ransomware (or other form of malware), there may be a limit to the amount of the coverage.

A cyber policy typically also provides third-party liability coverage. In general, the insurer will agree to defend and/or indemnify the insured if a third party, who suffers a loss allegedly due to the insured’s conduct, brings a claim against the insured. Once again, look to the specific policy language to determine whether coverage is triggered in the first place in light of the facts.      

Traditional policies

Do traditional first party property policies and commercial general liability policies provide coverage for an insured’s losses from ransomware cyber attacks? Most likely, the answer is no.

Commercial first party property policies require direct physical loss or damage to insured property from a covered cause of loss. If there is a ransomware attack, the threshold coverage issue is whether there was, in fact, direct  physical loss or damage. If there was no physical loss or damage, coverage is not triggered. Depending on the facts, it may be extremely difficult for an insured to show physical loss or damage to its property from a ransomware attack.

First party polices may also include coverage for business income losses. Business interruption insurance is designed to compensate an insured for its actual business interruption losses resulting directly from physical damage by an insured peril to the insured’s covered property. An insured has the burden to establish:  (1) physical damage; (2) caused by a covered peril; (3) to covered property; (4) an actual and necessary interruption of the insured’s business; (5) the interruption must be caused  by the insured physical damage; and (6) actual loss resulting directly from the interruption of the business.  See also K. Clark Schirle, Time Element Coverages in Business Interruption Insurance, The Brief, Fall 2007.  Once again, the insured has the heavy burden to prove physical loss or damage before it can trigger coverage for business income losses from a ransomware attack.

Even if an insured were successful in proving physical loss or damage to its property from a ransomware attack, other provisions may apply to bar coverage. The property policy may state that electronic data is not covered property. Commercial first party policies typically contain an exclusion for losses arising out of damage to or destruction of electronic data. The first party policy may also contain an exclusion for losses arising from the use of a computer, computer system, software program, malicious code, computer virus or process, or any other electronic systems as a means of inflicting harm. The policy may also contain a terrorism exclusion.

Accordingly, a traditional first party property policy will probably not provide coverage if a company suffers a ransomware attack.

Similarly, a company will most likely be unable to recover under a traditional third party commercial liability policy if a third party brings a claim against it relating to a ransomware attack. Typically, liability policies provide that they will pay on behalf of the insured sums the insured becomes legally obligated to pay as damages because of bodily injury or property damage arising from an occurrence. Property damage is usually defined as physical injury to tangible property. As with property policies, the insured may have an extremely difficult time proving there was property damage to trigger coverage. Further, many policies state that electronic data is not “tangible property”, which means there would be no coverage. Even if the insured could overcome those hurdles, liability policies also usually include exclusions, such as electronic data exclusions, which would apply in the event of a claim involving a ransomware attack.

Conclusion 

Although ransomware attacks have existed for some time, they have recently increased in scope and severity. There will be more in the future. Unfortunately, companies around the world have suffered significant losses from these attacks. If a company submits its losses to an insurance carrier, one has to carefully study and analyze the types of policies the company has purchased, and the policies’ coverage terms, conditions, and exclusions in light of the facts. As a general rule, if the company has purchased a cyber policy, there may be coverage for certain costs which result from a ransomware attack. If the company has a traditional first party or liability policy, there is most likely no coverage. 

[View source.]

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Butler Weihmuller Katz Craig LLP | Attorney Advertising

Written by:

Butler Weihmuller Katz Craig LLP
Contact
more
less

Butler Weihmuller Katz Craig LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.