With ransomware spreading at epidemic rates in recent years, insurance companies have responded by offering cyber extortion insurance (CEI) as an optional addition to basic cybersecurity coverage. CEI protects against losses incurred through ransomware and denial-of-service attacks by providing funds that businesses can use to pay the hacker’s extortion, typically in cryptocurrency.
Or that’s how it usually works, anyway. CEI policies tend to be heavily customized and don’t always pay the ransom automatically, according to Corey Nachreiner, CTO of WatchGuard Technologies Inc., a Seattle-based IT security company.
Good policies cover more than just ransoms, he adds. For example, CEI generally pays for the cost of recovery, including restoring databases, complying with breach notification requirements, buying credit monitoring services, and engaging outside experts. Should businesses need the services of a PR firm to help restore their reputation, or forensic experts to find and fix the vulnerabilities that allowed bad guys to get in, CEI typically pays those expenses too. Some policies allow businesses to recoup lost revenue from ransom-related downtime.
Nachreiner is ambivalent about extortion insurance. “I always say don’t pay the ransom, but it’s kind of white-tower advice,” he observes. “Say you’re a hospital and need access to imaging data to operate on a patient. There are situations where it’s not black and white.” When paying up is the wisest move, having an insurer foot the bill can save policyholders big money.
Brokers say it’s too early in the game for insurance companies to have amassed good actuarial data on the risks of cyber extortion, which makes setting prices difficult. Nachreiner says a typical monthly premium for a small business without particularly sensitive customer data will run between $60 and $100 a month. “There’s lots of negotiating room and fine print,” he adds.
Included in that fine print are conditions that can invalidate a claim, such as sloppiness in password practices, lack of patching, and inadequate security controls. “Consent” clauses often require at least one top-level executive of the insured firm to approve paying the ransom, which can turn filing an extortion claim into a career-damaging move.
The good news? Just as life insurance companies looking to boost their bottom line often provide advice on good health habits, many CEI insurers offer their customers useful guidance on better cybersecurity practices. Ironically, businesses that embrace those suggestions usually end up significantly reducing the risks that made buying the policy a good idea in the first place. That, however, is a pretty good trade-off at the end of the day.