Phishing and social engineering schemes continue to be among the leading causes of cyber-related losses, but emerging perils are creating a dynamic new risk landscape that may not be reflected in today’s cyber insurance policies.
Ransomware attacks, in which hackers seize control of company data and demand payment to release it, are growing more common and more sophisticated. While the ransom amounts remain small – typically in the hundreds of dollars – a new report issued late last week by underwriter
Beazley revealed attacks have been four times more prominent in 2016 than they were the year previous.
Spurred on by a case in which a Los Angeles hospital paid $17,000 for the restoration of its computer network, hackers are seeking smaller amounts from smaller companies through large-scale phishing scams that compromise systems or steal data. According to the Beazley Breach Insights report, the company’s Breach Response Services unit managed more than 1,400 such attacks on behalf of clients during the first nine months of 2016 alone – up from 931 breaches during the same period last year.
Healthcare providers, financial service and companies in the retail and hospitality sectors are among the most targeted, the report found, and ransoms sought from companies hover in the region of $1,000.
In addition to the ransom demanded, companies are also often on the hook for expensive systems reviews as well as the issuance of data breach notifications, even if no data is removed.
Beazley’s findings reflect the anecdotal experience of other cyber risk professionals.
“We are definitely noticing an uptick in extortion claims and expect it to be a major risk in 2017,” Robert Rosenzweig, vice president and national cyber risk practice leader with DeWitt Stern, told
Insurance Business. “The majority of these attackers are less interested in selling the information than getting the ransom paid, which is often being demanded in bitcoin.”
For the most part, the insurance industry has been able to account for changing cyber risk in its policies, Rosenzweig said. Defense and indemnity costs for cyber extortion can be included in cyber insurance forms, and language specifically covering the use of bitcoin payments has been added to many products.
However, insurance brokers are advised to check a policy’s replacement/restoration clause for specific language related to ransomware and extortion. Adding a cyber extortion endorsement may require additional premium, and even if coverage is included, the scope of coverage and limits can be restrictive.
Cyber extortion coverage is frequently sub-limited, for example, with only $500,000 available for cyber extortion in a $10 million limit policy.
Related Stories:
The global state of cyber insurance
Are SMEs underestimating their cyber insurance?