Insuring Against Ransomware and Other Cyber Extortion

Woman at computer with "you have been hacked" on the screen
Image courtesy of [Yuri Arcurs] / Getty Images.

One type of cyber-attack that has become increasingly common is cyber extortion. Cyber criminals use ransomware and other tactics to extract money from businesses. This article will explain what cyber extortion is, and what you can do to protect your firm against this type of crime.

Cyber Extortion

The term extortion means a demand for money or other property through force or the threat of force. In cyber extortion, the perpetrator typically threatens to seize, damage or release electronic data owned by the victim.

Here are some examples of cyber extortion:

  • Your company uses a website to sell products and attract customers. Your website is hit by a denial-of-service attack. The perpetrators send an enormous amount of traffic to your site at once. This causes your site to shut down. The perpetrators then demand $5,000 to stop the attack.
  • You are a partner in a partnership that provides psychotherapy services. A cyber thief hacks into your firm's computer system and steals patient data. He then threatens to release the data online unless you pay him $1,000.

Ransomware

A relatively new type of cyber extortion is ransomware. This term means malware that prevents a victim from using an electronic device or the data stored on it. To regain access to the device or data, the victim must pay the perpetrator a sum of money (the ransom).

Ransomware can infect virtually any type of computer, including desktops, laptops, tablets and smart phones.

A computer user may unwittingly download malware by clicking on a pop-up ad, opening an infected email attachment, or visiting a compromised website.

The advent of digital currencies like bitcoin has facilitated the work of cyber extortionists. Criminals like these currencies because they are easy to use, and they allow the extortionists to remain anonymous.

Not Covered by Property Insurance

Suppose that an employee of yours opens a file attached to an email. The file contains a virus that spreads throughout your computer system. Now all of your files are encrypted. An extortionist phones you and demands $2,000 to regain access to your files. Will the $2,000 ransom be covered by your commercial property policy? The answer is no. A typical property policy provides a small amount of coverage for damage to electronic data caused by computer viruses. However, this coverage does not include ransom paid to an extortionist.

Cyber Extortion Coverage

Cyber extortion coverage is available under many cyber liability policies. It goes by various names. Examples are Extortion Threat Coverage and E-Threat Expenses Coverage. Cyber extortion is typically an optional coverage. For it to be included in your policy, you must request it specifically and pay the required premium.

What's Covered

Cyber extortion coverage protects your business against losses caused by ransomware and other types of cyber extortion. Many cyber liability policies cover three types of costs:

  • Ransom Money This is money you pay to a cyber criminal in response to a threat. Some policies also cover property (other than money) that you relinquish to an extortionist because of a threat.
  • Extortion-Related Expenses These are expenses you incur as a result of the extortion threat. An example is the cost of traveling out-of-state to make a ransom payment. Another is the cost of hiring a consultant to negotiate with the extortionist on your behalf.
  • Repair Costs Payment of a ransom does not guarantee that your computers and data will be undamaged after their release. If the cyber thief has encrypted your data, moreover, he or she may fail to "unlock" it after the ransom is paid. Most cyber liability forms cover losses you sustain as a result of damage, disruption, theft or misuse of your electronic data. Policies cover the cost to restore, replace or reconstruct programs, software or data.

Most cyber liability policies provide reimbursement for a ransom payment and related expenses.

Your insurer will not pay these costs up front. Furthermore, you must obtain permission from your insurance company before paying a ransom. If you make a payment to an extortionist and tell your insurer about it after the fact, the payment may not be covered. The same rule applies to extortion-related expenses. If you want to hire a consultant to help you deal with the extortionist, you'll need to notify your insurer in advance. Otherwise, the consultant's fee may not be a covered expense.

Cyber Risk Management

When you purchase cyber extortion and other cyber coverages, your insurer may offer online risk management services through a web portal such as eRiskHub. The latter is a website that provides information and technical resources to cyber liability policyholders. Businesses can use the information to protect themselves against data breaches and other types of cyber-crime.

Types of Threats

Cyber extortion insurance covers ransom payments you make and extortion-related expenses you incur in response to a threat. This word is often a defined term. Its meaning determines the types of acts that are covered. The definition varies, but often includes threats to do some or all of the following:

  • Alter, damage or destroy your software, programs or data
  • Infect your computer system with a virus or other malicious code
  • Release your data or sell it to someone else
  • Make your website or computer system inaccessible by initiating a cyber-attack, such as a denial-of-service attack
  • Transfer funds using your computer system

Some cyber extortion policies cover acts of extortion committed by your employees. Other policies exclude such acts. Most policies limit coverage to threats that occur during the policy period. Some policies stipulate that the extortion must take place and be discovered during the policy period.

Prevention

Here are some steps you can take to avoid becoming a victim of cyber extortion. Be sure to pass these tips on to your employees:

  • Protect your computer system with a firewall and antivirus software. Keep your software updated.
  • Be careful when opening email. Many cyber criminals lure victims with infected emails that appear to be legitimate. These emails may contain malicious links or attachments.
  • Don't click on pop-up ads when using the Internet. Cyber criminals use fake ads to lure victims. You can avoid pop-up ads by using a pop-up blocker.
  • Back up your data regularly. Keep copies of critical data at an off-site location.

You should also consider creating a data breach response plan. While a response plan won't prevent breaches from occurring, it will you save time and energy after an incident is discovered. 

The Federal Bureau of Investigation (FBI) recommends that you immediately contact your local FBI office if you are a victim of ransomware or other cyber fraud. You can also report the crime to the FBI's Internet Crime Complaint Center. Reports filed by victims help keep authorities informed about the types of crime that are occurring. The FBI uses the reports to provide information to the public about cyber-crime.