Insurance is Getting Tired of Ransomware, Too

Recently, this blog covered the federal government’s increasing intolerance of cybersecurity incidents. The Office of Foreign Asset Control (“OFAC”) has tightened controls on paying ransom to fraudsters. Meanwhile, federal banking regulators now require financial institutions to provide notice within 36 hours of detecting a cybersecurity incident. However, the federal government is not the only entity losing patience with the proliferation of ransomware attacks. Your insurance company is fed up, too.

All of the high profile ransomware attacks throughout 2020 and 2021 took a toll on their victims and insurance companies. Due to the volume of claims, many industry reports show that loss ratios for insurance claims on ransomware policies approaching 70%. Higher loss ratios mean insurance companies are paying an increasing portion of premiums out to cover claims.

Losses at this level are not sustainable, so something has to change. Some insurance carriers have started to exit the market entirely. For carriers still offering insurance, insureds may see their premiums increase by as much as 50% to 100%. Organizations that can still get coverage are also seeing maximum limits of coverage reduced. In other words, insurance for cybersecurity events, if you can get it, is more expensive and covers less.

This blog has previously covered disputes between insureds and their insurance companies over coverage in the wake of a cybersecurity event. Insurance disputes often focus on whether “cyber-insurance” covers losses when employees are tricked into sending funds to fraudsters.

Ransomware insurance policies had been a relatively quiet corner of the market, because whether coverage was available was a relatively clear issue. However, insurance companies are now taking a stricter view of whether coverage is available to cover ransomware, and changing what policies cover in order to limit claims. This can leave insureds with a difficult decision regarding whether to pay ransom demands. Either the insured can pay the ransom and risk not having insurance coverage, or decline to pay the ransom and risk losing their data.

Insurance has also never been more important for covering costs associated with new regulatory burdens. As we recently explained, banking regulators’ new 36-hour cybersecurity incident notice rule means banks will need to promptly engage qualified computer forensic teams to assess the scope of cybersecurity incidents. Many insurance policies that cover cybersecurity incidents require use of a specific vendor. If insureds find themselves in a dispute with a carrier over whether a claim is covered, they may lose precious time working with a policy’s mandated vendor.

Organizations face more risk than ever before from cybersecurity incidents. In the wake of a cybersecurity event, organizations should still immediately notify their insurance carriers of a potential claim. With growing uncertainty surrounding the availability of insurance coverage, however, insureds may also need to engage with legal counsel early in the claims process in order to evaluate the availability of coverage.

Shareholder Attorney John Lande is chair of Dickinson Law's Cybersecurity, Data Breach, & Privacy practice group. For more information on his practice, click here.