No More Tears: Insurance Coverage For The "WannaCry" Ransomware Attack
The Situation: At least 300,000 computers in more than 150 countries were affected by the WannaCry "ransomware" attack.
The Result: Beyond the ransom demand, other expenses, inconveniences, and complications for victimized companies are likely.
Looking Ahead: Commercial policyholders should review their insurance coverage provisions before another ransomware attack occurs.
This month's WannaCry "ransomware" attack—the first truly global incident of its kind—is believed to have affected at least 300,000 computers in over 150 countries, claiming among its victims many large corporations and public entities. A form of malicious software ("malware"), the WannaCry ransomware leverages exploits reportedly stolen from the NSA by the Shadow Brokers hacker collective. WannaCry (or "Wanna Decryptor") holds computers hostage by encrypting files until a ransom, demanded in the virtual currency Bitcoin, is paid for a decryption key to unlock them.
With business interruption losses estimated in the billions of dollars, the WannaCry attack has delivered a sobering reminder of the serious threat posed by cyber extortionists. The fact that such events are expected to continue with increasing frequency and sophistication only underscores the need for commercial policyholders to carefully review their insurance programs before the next ransomware event. Even companies with cyber insurance may encounter coverage challenges from their insurers with respect to ransomware attacks. This Commentary identifies key insurance issues for commercial policyholders to consider as they do so.
Review the Fine Print of Your Cyber Insurance Coverage Now
The potential losses caused by ransomware attacks can extend well-beyond the ransom itself to include forensic investigation and crisis management expenses, data repair and restoration costs, revenue loss due to the interruption of normal business activities, as well as third party liabilities. While other policies in your insurance program may respond with coverage for certain of these losses and should also be reviewed, particular attention should be paid to the scope of any cyber insurance coverage.
Cyber insurance policies typically contain insuring agreements addressing third-party liabilities (e.g., network security, privacy, and media liabilities) and incident response costs (e.g., forensic investigation, defense and crisis management costs, including customer notification and credit monitoring expenses). Some cyber coverages also provide insurance for first-party losses, including business interruption, the cost to restore lost or compromised data, as well as cyber extortion expenses.
Given that there are nearly 70 cyber insurers and no standard forms (so policies vary greatly in scope), policyholders should be aware that some cyber insurers may not include ransomware coverage in their basic form, but will include it upon request via endorsement. Therefore, it is important for risk managers to pay particular attention to the fine print of their company's cyber insurance coverage. As illustrated by the WannaCry attack, the billions of dollars in estimated business disruption losses dwarfed the approximately $300 per computer Bitcoin ransoms, the most significant economic losses to companies targeted by ransomware are often for related business disruption and forensic investigation costs. Risk managers should confirm that their company's cyber insurance policies adequately address these exposures.
In addition, commercial policyholders will want to ensure that their cyber insurance policies are drafted broadly enough to capture both known and future forms of cyber extortion. For example, while cyber extortionists now commonly demand payment in the form of Bitcoin and other virtual currencies (or "crypto-currencies"), a number of cyber insurance policy forms have not been revised to specifically allow the payment of cyber extortion ransoms in such currencies. Where possible, policyholders should insist that their cyber insurance policies be drafted to expressly cover such modes of payment.
Policyholders should also review their cyber extortion coverage for any advance insurer consent provisions, which can apply not only to the payment of ransom demands, but also to forensic investigation and crisis management expenses necessary to investigate, evaluate, and address cyber extortion threats—thereby presenting an additional logistical hurdle for policyholders to face during such crises. While it is important for policyholders to be aware of such provisions, policyholders may be able to negotiate the deletion or modification of these and other provisions with their cyber insurers for no additional cost or only a modest increase in premium.
Policyholders should also be mindful of policy exclusions concerning their information technology operations. Some cyber insurance policies contain so-called "failure to patch" exclusions, which purport to exclude coverage for losses attributable to a failure to install or implement available software patches for known software vulnerabilities. Insurers may attempt to deny coverage for cyber-attacks where the policyholder used outdated software and did not implement security patches on a timely basis.
Cyber insurance policies also commonly exclude coverage for bodily injury—a consideration of particular importance to healthcare providers, whose ability to deliver adequate patient care may be compromised during cyber extortion events. While the costs incurred by healthcare providers to investigate and end a ransomware attack may be covered, insurers may attempt to deny coverage for bodily injury allegedly resulting from the ransomware's impairment of healthcare providers' ability to provide medical services. In that event, affected healthcare providers may need to look to other policies within their insurance programs that insure bodily injury, such as professional and commercial general liability policies, which themselves may exclude coverage for cyber-related events. As this example illustrates, commercial policyholders will be well served to identify and address these potential coverage gaps in advance of the next cyber extortion incident.
Do Not Overlook Traditional Insurance Coverages
As noted above, businesses should keep in mind that other policies within their insurance program may also respond with coverage for ransomware losses. Specifically, kidnap and ransom policies that include extortion as an insured event may respond with coverage for related ransom monies and forensic investigation and crisis management expenses.
Similarly, although certain commercial property insurance policies now contain exclusions for computer-related losses, those that do not may also afford coverage for ransomware-related business interruptions. In the event of ransomware-related business interruption, some commercial property insurers may nevertheless dispute whether the "physical loss" requirement of such policies has been met. Policyholders should keep in mind, however, that courts in certain jurisdictions have determined that the loss of use or functionality of computer networks, including as a result of cyber attacks, may constitute "physical loss" sufficient to trigger business interruption coverage. The determination of whether "physical loss" has occurred will, therefore, continue to require a close examination of the particular facts of each case.
Policyholders that have experienced losses due to a ransomware event should accordingly obtain and carefully review all policies that may potentially respond with coverage, including those in which your business is identified as an "additional insured."
Remember to Provide Timely Notice of Ransomware Events
For many businesses affected by the WannaCry ransomware, what began with a $300 ransom demand—a figure by itself insufficient to exhaust many policies' self-insured retentions—ultimately resulted in business interruption losses and other costs in the millions of dollars. And there may be more problems yet to come. Ransomware attacks are often used as smokescreens to conceal broader hacking activities and theft of data. Over the next several weeks, victims of the WannaCry attack may discover that they have suffered a broader network intrusion that will result in additional costs. Policyholders should accordingly err on the side of caution by promptly giving notice of a ransomware event under all potentially applicable insurance policies as soon as possible.
Although the particular notice requirements vary by policy and applicable state law, a policyholder's failure to promptly meet these deadlines may unnecessarily complicate its insurance recovery, or, worse, insurance companies will argue that such a failure to meet these deadlines in a timely fashion results in a forfeiture of coverage. In addition to timing, policyholders should also follow any instructions set forth in the insurance policy concerning the manner of notice (e.g., whether the notice must be in writing, to whom notice must be given, and what information must initially be provided).
As the first global incident of its kind, the WannaCry ransomware attack marked the beginning of a new chapter of cyber crime. While the foregoing has identified some of the insurance considerations implicated by ransomware events, businesses interested in proactively managing their ransomware exposure should carefully evaluate the sufficiency of the coverage provided under their existing insurance programs before the next ransomware attack.
Four Key Takeaways
- Cyber insurance policies vary significantly in scope.
- The most significant losses to companies targeted by ransomware are often related to business disruptions and forensic investigation costs.
- Ransomware attacks are often used to conceal broader hacking activities and theft of data.
- In the event of a ransomware attack, policyholders should give notice of the event to their insurers under all potentially applicable policies as soon as possible.
For further information, please contact your principal Firm representative or one of the lawyers listed below. General email messages may be sent using our "Contact Us" form, which can be found at www.jonesday.com/contactus/.
Tyrone R. Childress
Jason B. Lissy
Jones Day publications should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request reprint permission for any of our publications, please use our "Contact Us" form, which can be found on our web site at www.jonesday.com. The mailing of this publication is not intended to create, and receipt of it does not constitute, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.