Insurance exists to protect the insured against disaster, but the insurer needs protection so that its policies are not abused – which is where the fine print comes in. However, in the case of ransomware insurance, the fine print becomes controversial and arguably undermines the usefulness of ransomware insurance.
In this article, we’ll explain why, especially given the current climate, war exclusion clauses are decreasing the value of ransomware insurance – and why your organization should focus on protecting itself instead.
What is ransomware insurance?
In recent years, ransomware insurance as a product field has grown as organizations seek to buy protection against the catastrophic consequences of a successful ransomware attack. Why try to take out insurance? Well, a single, successful attack can just about wipe out a large organization, or lead to crippling costs – NotPetya alone led to a total of $10 billion in damages†
Ransomware attacks are notoriously difficult to protect against completely. Like any other potentially catastrophic event, insurers stepped in to offer an insurance product. In exchange for a premium, insurers promise to cover a large part of the damage caused by a ransomware attack.
Depending on the policy, a ransomware policy may cover loss of revenue if the attack disrupts operations, or loss of valuable data if data is erased as a result of the ransomware event. A policy can also cover you for extortion – in other cases it will refund the ransom demanded by the criminal.
The exact payout and conditions are of course recorded in the policy schedule, also known as the “small print”. Crucially, fine print should also include exclusions, in other words, circumstances under which the policy will not pay out. And therein lies the problem.
What’s the problem with fine print?
Understandably, insurers need to protect their premium pools from abuse. After all, it’s easy for an actor to sign up for insurance not because he’s looking for protection, but because he already has a claim in mind.
Fine print isn’t necessarily a bad thing, it’s a way for both parties to define the terms of the agreement so that everyone knows what is expected and what they are entitled to. Within ransomware insurance, the fine print would make some reasonable requests.
For example, your policy requires you to make minimal effort to protect your workload from ransomware. After all, you can expect to take precautions around an attack. Likewise, you’re likely to find a notification clause in your contract that requires you to notify your insurer of the attack within a minimum amount of time.
Another common exclusion is war-related, whereby insurers retain the right to refuse payment of a claim if the damage is the result of war or acts of war. It is this fine print that is of concern at the moment, for three reasons.
The complexity of war exclusions
When one nation-state turns against another, cyber warfare can be used to inflict damage beyond the usual sphere of war. Cyber warfare can be incredibly arbitrary, the parties involved aren’t necessarily government organizations — it could be a business caught in the crossfire.
Insurers have a valid reason for trying to rule out this massive level of exposure. However, there are a few problems. Defining a war is the first issue – when does an act of aggression qualify as a war-related activity? Another difficulty is attribution, as cyber attackers generally do their best to disguise themselves – it’s rare for an attacker to openly declare involvement in an attack.
When an organization is faced with a ransomware attack, how does the insurer – or the claimant – prove that a specific organization was behind an attack, and what prompted the attack, e.g. war? How do you even find out? Finding hard evidence or even any evidence behind attribution is quite a challenge.
Just think about how often ransomware attacks would be carried out by “
And here’s the thing. Claims under ransomware insurance won’t be small – ransom demands typically run into the millions, while damages can run as high as $1 billion. Insurance companies, out of understandable self-interest, will try to find all possible grounds for denying a claim.
It’s no wonder, then, that these claims are often disputed — in court.
It could just end up in court
When there is a disagreement about an insurance claim, the claimant usually turns to the court. The outcome of these cases is uncertain and may take a long time to resolve. An example is Merck’s case against Ace American Insurance. The case referred to the NotPetya attack in which Merck suffered a major break-in in June 2017 that took months to recover from, costing the company an estimated $1.4 billion.
However, when the company attempted to claim its $1.75 billion “all-risk” insurance policy, Ace American initially refused to pay the claim, arguing it was subject to an “Acts of War” exclusion clause. She based this claim on the fact that NotPetya had been used by the Russian government in an act of war against Ukraine.
The claim went to court a short time later, but it took more than three years for the court to reach a decision — on this occasion in favor of Merck, arguing that Ace American, like many other insurers, did not follow the wording. made sufficient changes to its policy exclusions to ensure that the insured – Merck – fully understood that a cyberattack in the context of an act of war would mean that the policy cover is invalid.
Protecting yourself is your number one priority
The insurance industry knows of course that there is a lack of clarity. In a recent big move, the Lloyd’s Market Association, a network of members of the influential Lloyds of London marketplace, published a: series of clauses that its members could include in the terms of cyber insurance products.
These clauses would make a better effort to rule out war-related cybersecurity breaches. But again, there could be some points of contention – with attribution being the main concern.
That said, there’s an increasing chance that ransomware insurance you subscribe to won’t pay out when you need it most, especially when you factor in today’s heightened global security environment.
This does not mean that cybersecurity insurance is not an option, depending on the premiums and the level of coverage it may be an option. But it’s a last resort: your own in-house efforts to protect your IT assets from attacks remain your first line of defense — and your best bet.
The best insurance: a firm cybersecurity attitude
As mentioned before, every ransomware insurance policy has minimum cybersecurity requirements – conditions you must meet in order for your policy to pay out. This can include things like regular, reliable backups and threat monitoring.
We encourage you to go further and really maximize the protection you bring to your technology domain. Provide additional layers of protection, especially a live, reboot patching mechanisms like KernelCare Enterprise from TuxCareor Comprehensive Lifecycle Support for older systems that are no longer officially supported. This helps to tackle the problem.
No solution can provide you with watertight security, but it can help you achieve a goal of keeping risk windows to the bare minimum that is as close as possible. By taking maximum measures to protect your systems, you avoid a situation where you are in for an unpleasant surprise: like finding out that your insurance does not cover your data loss.
So yes, at least take out insurance as a last resort. But make sure you do everything you can to protect your system with all the tools available.