The picture of what types of cybercrime costs are covered by insurance—and when—remains murky.
We've heard as much from SecureWorld's Advisory Council members across the U.S. and Canada.
This includes a key question: Will ransomware insurance cover your ransom paid to hackers?
A recent lawsuit decision in Indiana delivers some news your organization should consider on the topic of cyber insurance coverage.
What happened in this ransomware case?
The case involves G&G Oil Company of Indiana, which experienced the dreaded R in cybersecurity: ransomware.
Hackers broke into the company's computer network and encrypted it. Then the hackers demanded a ransom.
Court documents reveal what a desperate situation this became:
"Employees were unable to access the company's servers and most of its workstations. The workstations were useless without access to the servers. A hijacker had gained access to G&G's computer network, encrypted its servers and most workstations, and password protected its drives."
Ransomware example: this company paid the ransom, twice
The organization decided to pay the hacker's ransom.
Unfortunately, the cyberattack nightmare continued at that point. Yes, you paid us, but now we want more.
"The hijacker demanded payment in bitcoin. G&G made the payment demanded, but the hijacker refused to restore G&G's control over its computer servers and demanded additional bitcoin. Ultimately, G&G paid $34,477.50 for the four bitcoins it sent to the hijacker. After receiving the fourth bitcoin, the hacker gave G&G the passwords enabling it to decrypt its computers and regain access to its servers."
How often do hackers demand a second ransom?
Gretel Egan of Proofpoint revealed the answer during our Behind the Scenes interview on the State of the Phish 2020 Report, which documented ransomware payments:
"10% had a follow-up demand that came back to them after making initial payments. Some people decided to walk away at that point, and others did pay the extra ransom and then did get access to their data."
G&G Oil's second payment allowed it to regain access to its servers for $34,000 and change. And it thought an insurance policy would cover the payment.
However, the oil company would soon discover that after fighting the hacker, it would need to fight its own insurance company as well.
Insurance refuses to cover ransomware payment
Like a lot of organizations hit by ransomware, G&G Oil Company submitted a claim to its insurer after the ransomware incident.
SecureWorld has covered many notable cases where insurance policies cover most of a hacker's ransom.
In this case, the oil company thought it was on solid ground to file a claim with Continental Western Insurance, based on this clause in its policy:
6. Computer Fraud
We will pay for loss of or damages to "money", "securities" and "other property" resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the "premises" or "banking premises":
a. To a person (other than a "messenger") outside those "premises"; or
b. To a place outside those "premises".
However, the insurance company denied the claim, so the oil company filed suit against its insurer. And just last week, the court handed down a decision.
Court decision on insurance coverage of ransomware payments
In this case, the court in Marion County, Indiana, issued a summary judgment.
The court agreed with the insurer that it was not required to cover the ransomware payments.
Why? The court says it came down to an interpretation of the policy:
"Continental argued that it was not required to indemnify G&G's losses because they were not the result of computer fraud. Continental asserted that the ransomware attack was akin to an act of theft rather than fraud. And Continental noted the exclusion in the insurance policy for losses resulting from a computer virus or hacking.
G&G argued for a more expansive interpretation of the term 'fraud' and claimed that the hijacker's use of computers caused its losses, thus entitling G&G to coverage under the terms of its insurance policy."
The court agreed with Continental's argument and made an interesting analogy in the case. Let's see what you think of this one:
Pursuant to the terms of the Policy, G&G Oil's loss must be
"fraudulently caused." Here, the hacker inserted himself into
G&G Oil's system. That may have involved some sort of deception, but no more than the burglar inserts himself into a house by picking a lock or climbing through a window or the auto thief who steals a car by accessing a FOB or a key through surreptitious means.
G&G Oil may prefer to brand all three as fraudsters, but with good reason, the law labels one a burglar, the other a car thief and the third a hacker. Unlike the fraudster, a hacker, like the burglar or car thief is forthright in his scheme.
The hacker deprived G&G Oil of use of its computer system and
extracted bitcoin from the Plaintiff as ransom. While devious,
tortious and criminal, fraudulent it was not."
Also important to the decision is what G&G Oil failed to do:
"G&G had not purchased the optional 'Computer Virus and Hacking
Coverage.'"
Cyber insurance and incident response
Is your insurance policy going to cover your organization's data breach or cyberattack?
Cyber attorney Shawn Tuma of Spencer Fane explains it like this:
"Many organizations discover unpleasant surprises when it comes to their insurance during incident response. This is a terrible time to find out about these things."
Here is an example:- You go through the effort of creating an incident response plan, train the incident response team on their roles and responsibilities, and practice tabletop exercises. You are ready to respond.
- You experience a cyber incident and are ready to execute your plan.
- "Then you discover that your cyber insurance policy specifically dictates what cyber forensic firms you can use, what public relations firms you can use, what notification vendor you can use, and what breach counsel (aka privacy counsel or breach quarterback) you can use—and none of those 'approved vendors' are the ones that you included on your external incident response team," says Tuma.
Shawn Tuma will be unpacking these kinds of challenges, and others, during an upcoming SecureWorld Remote Sessions broadcast, available live and on-demand.
Register here: Understanding How Cyber Insurance Impacts Your Incident Response Planning, from SecureWorld.
When your organization has an incident, you'll be glad you took a few minutes to learn from this cybersecurity web conference.
