By: Michael H. Sampson, Esq.
A recent rash of cyberattacks serves as a stark reminder that businesses of all types and sizes are vulnerable to – and, must continuously be on guard against and prepared to respond to – cybercrime, including costly ransomware attacks. While being “prepared,” of course, includes, for example, ensuring network security; it also should include obtaining and maintaining cyber insurance.
A business should not wait until it falls victim to a cyberattack to review its insurance coverage portfolio, fill any gaps therein, and/or purchase cyber insurance. By then, it could be too late. Rather, as soon as possible, a business should make sure that it has appropriate cyber insurance in place to protect against the specific risks and liabilities it could face. Insurance brokers and experienced insurance coverage counsel can be important resources for a business working to make sure it has appropriate and adequate coverage.
Recent Ransomware Attacks Highlight Risk
“It can feel abstract,” The Washington Post reports: “A group of organized but faceless criminals hijacking corporate computer systems and demanding millions of dollars in exchange for their safe return. But the impact of these ransomware attacks is increasingly, unavoidably, real for everyday people.”
Indeed, in the past month alone, at least two major cyberattacks have garnered headlines across the United States and around the world. In early May, the Colonial Pipeline fell victim to a ransomware attack – reportedly the “biggest [cyberattack] on U.S. oil infrastructure.” More recently, JBS, “[t]he world’s largest meat-processing company [also was] targeted by” a ransomware attack.
In addition to these more high-profile examples, other ransomware attacks (and/or other types of cyberattacks) also reportedly recently have affected the Martha’s Vineyard ferry service and at least two local television stations.
The U.S. Cybersecurity & Infrastructure Agency explains that “[r]ansomware is an ever-evolving form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.” In a ransomware attack, the federal agency continues, “[m]alicious actors … demand ransom in exchange for decryption. Ransomware actors often target and threaten to sell or leak exfiltrated data or authentication information if the ransom is not paid.”
Cyber Insurance Can Help Mitigate Risk
Like cyberattacks themselves, cyber insurance too can seem abstract to many people. But, also like cyberattacks, the importance of cyber insurance is becoming increasingly and unavoidably real for all businesses – big and small.
The specific scope of coverage afforded by a cyber insurance policy can vary from insurance policy to insurance policy. As such, it is important to carefully review the specific language in any relevant policy. Generally, though, cyber insurance can provide first-party and/or third-party coverage(s).
If, for example, a business experiences a data breach or some other form of cyberattack that allegedly harms a third party, and that third party sues the business, third-party liability coverage can provide the business coverage for defense costs, settlements, and/or judgments.
In contrast, first-party insurance is intended to cover a business for its own losses, such as business income loss, incident response expenses, and/or data restoration expenses.
Notably, a cyber policy also may provide some form and amount of coverage for “cyber extortion” and/or ransomware events. As part of that coverage, the insurer may even agree (subject to satisfaction of certain notice requirements or other conditions) to pay any amounts that the policyholder must pay to satisfy an attacker’s demand. In other words, the insurer may be contractually obligated to pay the ransom.
As such, cyber insurance can be a very valuable asset. Accordingly, businesses should review their insurance portfolios today and make sure they in fact have appropriate and adequate cyber coverage. If they do not already have such coverage in place, they should consider purchasing it immediately.
When purchasing and/or renewing cyber insurance, it is important to carefully review all potential insurance policies. Not all cyber insurance is created equal. For example, last month, “global insurance company AXA said … it will stop writing cyber insurance policies in France that reimburse customers for extortion payments made to ransomware criminals.” While, according to media reports such as one that appeared in Insurance Journal, “[t]he suspension only applies to France[,]” it nonetheless demonstrates the variability – and, for that matter, potential vulnerabilities – in cyber insurance policies.
For this reason alone – i.e., to know what coverage it is getting and what coverage it is not getting – a policyholder, working closely with its insurance broker and/or experienced coverage counsel, should proactively and carefully review any cyber insurance policy(ies) it already has purchased and/or is considering purchasing or renewing.
For more information or assistance with reviewing or procuring cyber insurance policies, and with obtaining insurance coverage in the event of a ransomware attack or any other cyberattack, please contact Michael H. Sampson. Michael leads the Insurance Coverage Group, part of Leech Tishman’s Litigation & Alternative Dispute Resolution Practice Group. He can be reached at 412.261.1600 or firstname.lastname@example.org.
Leech Tishman’s Facebook Page: https://www.facebook.com/leechtishman
Leech Tishman’s Twitter: https://twitter.com/LeechTishman
Leech Tishman’s Company Page on LinkedIn: https://www.linkedin.com/company/leech-tishman
Leech Tishman Fuscaldo & Lampl is a full-service law firm dedicated to assisting individuals, businesses, and institutions. Leech Tishman offers legal services in business restructuring & insolvency, corporate matters, employment & labor, estates & trusts, intellectual property, litigation & alternative dispute resolution, and real estate. In addition, the firm offers a wide range of legal services to clients in the aviation & aerospace, cannabis, construction, energy & natural resources, healthcare, and hospitality industries. Headquartered in Pittsburgh, PA, Leech Tishman also has offices in Chicago, Los Angeles, New York, Philadelphia, Sarasota, Washington, D.C., and Wilmington, DE.