In a world where data breaches are becoming inevitable and the cost of those incidents averages $9.44 million in the United States, ransomware insurance is becoming increasingly attractive to companies of all kinds. But for all the benefits that ransomware insurance can provide, its quite costly. Premiums are increasing 92% year-over-year in 2021, and policies typically come with numerous exclusions alongside various other strings attached. This isn’t to say that insurance isn’t worth it. Quite the opposite, having a strong ransomware insurance policy can help mitigate financial damages following an incident, which can end up being more than worthwhile with incident recovery costs at record highs and continuing to climb. Rather, its about making sure you select the right ransomware insurance policy for your needs and have a strong understanding of what’s covered and what’s not so you can respond appropriately when an incident of data breaches occurs. With that in mind, here are the 8 points for selecting the right ransomware insurance policy.
1. What kinds of information, devices, and situations are covered?
You must first understand which kinds of occurrences, data, and devices are covered and which kinds are not. Policies vary on this coverage, which can have a significant impact on how well-protected your company is and how you respond in the event of a breach.
- Incidents – In terms of incidents covered, key areas to note include:
- Actions taken by employees. Certain regulations prohibit employee actions, regardless of whether they are considered as insider threats or unintentional errors.
- Acts of war : Many policies have an exception for acts of war, which can be broadly defined as attacks led by nation-state actor. With many attacks originating in Russia and China, there’s a lot of potential for insurance companies to tie hacking group to those countries’ governments. However, there’s a lot of complexity in this area.
- Phishing : Insurers often exclude phishing because its a common attack that’s less profitable to insure.
- Data : Different insurance policies may exclude certain types of data from coverage as well. Exclusions for sensitive information, trade secrets, and personal information are common examples to watch for.
- Devices : Sometimes insurance policies exclude certain types of devices, particularly employee-owned devices, such as a smartphones or tablet that employee uses to check their company emails or run work- related applications. If that device becomes the vector for breach the incident might not be covered under some policies.
2. What constitutes discovery of an incident ?
Its important to know what each policy defines as discovery of an incident, since that can impact notification timelines. Sometimes it’s discovery of the incident itself, but it can also be instances of loss or actual costs from being sued. In general, the definitions for discovery are very wide-ranging across insurance policies. Who must be involved in the discovery process in order for the clock to start is another crucial factor to take into account. Some policies define discovery as awareness by certain executives only whereas others define it as awareness by any employee at all. There are big gaps between these definitions and policies in which any employee becoming aware of an incident triggers the discovery clock, which puts a lot of pressure on having strong response protocols in place.
3. How soon after discovery is the notification timeline?
The clock begins to run after discovery takes place, and once more, there is a wide range in the timeframe for notifying the insurance company of an incident. It can be 24 or 48 hours in certain situations and up to 30 days in others. Given that 30 days is a longer time frame than a few hours, it would seem like the best option; however, plans frequently exclude expenses made prior to notification.
4. What are the stipulations for coverage?
In addition to provisions prohibiting payment for expenses incurred before notice, plans frequently demand insurer approval before your business can make any purchases. However, a lot of insurers offer a list of instantly usable, pre-approved providers. It does not imply that you cannot utilise providers who are not on that list; rather, using such providers may require clearance from the insurer, which may take some time and is not always granted.
5. Who is included in the list of authorised providers?
With that in mind, consider which providers are on the approved panel. Do you wish to use them in the event that something goes wrong? These providers are generally ones with whom the insurer has negotiated a lower rate, so depending on the sensitivity of a given incident, your company may decide you want to use another provider already trusted by your team. If the insurer is unwilling to cover a more expensive firm, this could be a big sticking point. A fascinating aspect of approved provider panels is that they frequently put the providers in a difficult conflict of interest. Imagine a scenario in which you hire an outside legal from the panel, but the insurance provider decides for some reason not to pay for those services. The outside counsel still has a duty to your company as their client, but this could lead to a scenario where the insurer decides to remove the legal representative from the panel because they believe they were unreasonable. Although it’s difficult to predict when these situations may occur, panel providers should constantly be taken into consideration.
6. What types of costs are covered?
Every insurance contains a figure (say, $3 million, $10 million), and some plans place a limit on the amount that can be spent on specific categories of expenses within that number. Contract disputes, for example, are not covered by certain policies, which can be very costly for your business to deal with after an occurrence because every lawsuit from a client is viewed as a contract disagreement. As a result, this type of exclusion would leave your company without coverage for long-tail costs, which can extend numerous years after the incident itself, even if you still have coverage dollars available under your total number. Another common exclusion to look out for relates to crypto currency losses. Ransomware attacks, in which hackers steal data and hold it captive in exchange for a ransom payment, often ask for the payment to be made in crypto currency. A clause that excludes costs associated with crypto currency losses traditionally means the policy doesn’t cover instances where crypto currency itself gets stolen. But insurers could make a creative argument for applying this clause to ransomware payments made using crypto currency.
7. Are you precluded from disclosing that you have ransomware insurance?
Another common stipulation in ransomware insurance policies precludes companies from letting an adversary know that they have insurance without the consent of the insurer. This is because once the adversary knows your company has insurance, they will typically ask for more money during ransomware negotiations because they know it’s not coming out of your pocket. As a related point, if your insurance policy does preclude you from disclosing that you have coverage, then the policy documents will need to be safeguarded in the same way you would protect other highly sensitive documents, like those containing trade secrets. This is crucial as, in ransomware talks, an adversary will usually begin by demanding the precise amount if they manage to locate a document pertaining to your insurance policy and they can view your policy limit.
8. What is the retention number ?
Finally, each ransomware insurance policy has a retention number. The retention number, like a deductible in other insurance policies, is the maximum amount your business must spend before the insurer is responsible for paying claims. It is crucial to understand your policy number because, similar to everything else, these figures might differ significantly between policies. Your team should also think about if they believe their response will be less expensive than the retention number in the event of an incident. You might not want to report the incident to your insurance if you do believe it will save money over the retention number because doing so will introduce a third party into your incident response process and initiate drawn-out approval processes, adding a lot of unnecessary effort to the process.
Make it Priority to Understand Your Ransomware Insurance Policy. These types of insurance policies are becoming increasingly important in today’s incident-heavy world. But in order to choose the right policy for your organization and then get the most out of your policy when you need it, it’s important to understand certain key points contained within it.
Top Ransomware insurance companies in USA :
- 1. Chubb : Direct written premiums: $473.1 million
Market share: 9.8% - 2. Fairfax Financials : Direct written premiums: $436.4 million
Market share: 9.0% - 3. AXA XL : Direct written premiums: $421 million
Market share: 8.7% - 4. Tokio Marine HCC: Direct written premiums: $249.8 million
Market share: 5.2% - 5. AIG: Direct written premiums: $240.6 million
Market share: 5.0%