“New low” for ransomware cybercriminals an opportunity for cyber insurers?

A remarkable U-turn in the latest publicised cyberattack to hit headlines took place earlier this month.

Cyber hackers (named Radiant) revealed that their apparent “morals” may know some bounds (when it comes to 8,000 names, addresses and images of children and details of parents and carers, which caused public outcry). This could present an opportunity and benefit to insurers and holders of cyber insurance policies as it highlights the types of losses that need coverage. 

We use this article to break down the types of losses that may be incurred after a data security incident through this recent example, with a view to better informing you of the types of losses to consider when opting for cyber cover.

1. The ransom 

Ransomware attacks are not uncommon; they involve the extortion of data from a database (in this case, a nursery chain) and holding it hostage until the ransom is paid (here, £600,000 in Bitcoin).

Two options exist for the insured: either pay out and hope the data comes back or hold out and suffer (potentially wider) reputational damage. For insurers, this arguably presents the biggest consideration for loss recovery - should ransom payments be covered under cyber policies, and if they are, who controls that process and related negotiations? 

2. Repairs to systems and data recovery

How this cyberattack began is not clear, as the relevant nursery refused to respond for comment. Radiant claimed access to nursery systems came from buying access to a member of staff’s computer (known as the “initial access broker”) which was then separately compromised by another hacker within Radiant, which took the data from the nursery’s Famly account - a widely-used early years education platform. Famly denied that the security and infrastructure of its platform was ever compromised. 

This presents a major challenge for insurers around conditions of cover - can a policy pay out if the insured ultimately permitted or failed to prevent access, and what terms or processes need to apply?

Third-party costs connected with restoring the relevant networks, systems and databases, either to patch up bugs or errors, may need to be incurred by insureds. Forensic investigations may also be needed to support with data recovery, and insurers need to act fast in releasing funds to allow prompt data recovery and reductions in further business interruption; therefore, policy wordings need to be clear so that policyholders are aware of their obligations when ensuring coverage is in place. 

3. Wasted management time

Cyber incidents cause significant operational, staff and management time to be diverted away from BAU activities, which naturally comes at a commercial cost.

These “additional” business expenses may not always be covered and not all cyber policies include business interruption as standard. Insurers need to consider how involved they can be with this restoration process when it comes to offering cover and engaging with their policyholders as they navigate this process. 

4. Consequential losses

Losses relating to cyber cover are not all immediate for policyholders. Insurers need to consider that, once the data is restored and the attack is “over”, hacked entities may find themselves handling multiple complaints to regulators, specifically the Information Commissioner’s Office, in respect of this data breach.

This may prompt regulatory investigations, which may incur third-party legal and consultancy fees in addition to management time and potential regulatory sanction(s) in future. As they may be connected to the same incident, policyholders may seek appropriate coverage, which will make clarity in policy wordings more important for insurers and underwriters. Notifications to regulators may also need to be made, which will incur additional time and potential legal fees.

In addition, data subjects may issue subject access requests to find out what data is/was at risk, which involves further time and, possibly, legal and consultancy fees. This may be an area for policy exclusions as the nature of consequential losses can start to spiral.

Public relations costs may also be required where reputational damage is incurred. This is a particularly challenging one for insurers to manage when it comes to policy coverage and limits, as the losses can be intangible and inconclusive until months after the event.

Finally, if (as a result of the hack) a third party alleges that a virus was transmitted to their systems, additional liability support may be required, which presents further challenges for policy wordings technicians and underwriters as policyholders try to trace causation through multiple channels. 

Summary of key lessons for insurers

Important lessons to learn from this case for insurers are that U-turns are far less common, with only a handful of examples in the past 10 years.

Insurers must prepare themselves to meet cover once the data loss is triggered and proceed on the basis that safe data recovery is unlikely, and cyber policies need to prepare for this practical reality in each case when looking at what cover they need to underwrite.

Motive for this U-turn remains unclear: the moral angle is suspected but seems unlikely. In most cases, hackers say they delete the data but, in fact, retain it and ultimately sell it on; apparently “reputation” is critical to cyberhackers as it links directly to their credibility when it comes to demanding future ransoms.

Reputation for insurers remains equally critical as cyber insurance becomes ever more important in an increasingly digital age.