Ransomware: A persistent challenge in cyber insurance claims

Ransom payment considerations

The potential for privacy liability is typically among the many factors that may influence the decision of whether to pay a ransom. However, it can be difficult to place a value when deciding if paying will be beneficial economically or reduce future liability. Privacy liability claims significantly increased over the past few years, and the settlement values have also been increasing, making this an important unknown.

The decision can be more straightforward when criminals encrypt data and cause business interruption (BI) losses. For example, a company might be able to determine that BI losses are costing $1 million per day. If the cost to de-encrypt will be $X thousands and will enable the business to be up and running in a few days, the math may point to a decision to pay. Every situation is unique, and a decision to pay or not to pay a ransom can have consequences beyond the specific incident at hand.

Other factors that may influence the decision to pay include whether the exfiltrated data is business sensitive, or possibly embarrassing.

In some instances, insurers may more deeply scrutinize ransom payments where there is no encryption, especially if breach notification laws are triggered. If ambivalence about paying ransoms increases, some observers wonder if data theft will go full circle, with more criminals simply selling stolen data on the dark web and avoiding working with their victims.

Conclusion: Cybersecurity strategy and controls are key

As cyber risk continues to evolve, companies need to monitor and adjust their cybersecurity controls and engage claims advocates, among other measures. When a claim does arise, it’s important to follow proper steps, such as notifying insurers, brokers, and other stakeholders and maintaining proper documentation.

More broadly, companies should have a cyber resilience strategy that incorporates a view of cyber risk across the enterprise, including its potential economic and operational impact.

Accounting for cybersecurity at vendors and other third parties, undertaking regular tabletop exercises and response evaluations.

We can help you quantify your cyber risk exposures with scenario-based loss modeling, benchmark potential cyber event losses and costs, consider the effectiveness of cybersecurity controls from a financial perspective, assess the economic efficiency of multiple cyber insurance program structures, and help manage your claims, should one arise.

Using panel vendors can improve claims management

When a cyber incident occurs, many companies will turn to outside vendors to manage aspects of the event. Many insurers have a panel of vendors that are pre-approved to work on cyber incidents and claims. Marsh has found that clients using their insurer’s pre-approved vendors can significantly improve the average time from event notification to receiving confirmation of coverage or first payment — from just over 2 months when using a panel to more than 12 months when using non-panel vendors.

Why Marsh?

Cyber risk is complex and pervasive. Marsh’s Cyber Practice provides organizations with experienced risk advice when managing their exposures.

• In-house legal, technical, and incident response practitioners to help clients before, during, and after cyber events.
• The incident management experience that comes from handling over 1,800 cyber and technology claims annually.
• Digital innovations to augment cyber response programs.