Cyber Insurance Coverage for Businesses & Ransomware

As cybersecurity threats are on the rise, businesses are increasingly looking to cyber insurance to help protect themselves. With regard to ransomware, many business owners have begun to consider insurance based upon concerns about what would happen if their business was entirely put on pause– or worse, if years of hard work were altogether wiped out or they were completely unable to service clients. Cyber insurance can help protect businesses in the aftermath of these situations. However, insurance policies often have different scopes of coverage and their own procedures, You’ll want to be aware of these and some recent developments in the ransomware area before a cyber event occurs.

When discussing cyber insurance policies and how they address ransomware, there are a variety of factors to consider. For instance, most policies have very specific language that describes the types of situations that will and will not be covered. Moreover, claims typically need to be made promptly after an incident occurs. For these reasons, you should review your policies very carefully.

You should also consider what type of cyberthreats may or may not be included in your insurance coverage. For example, insurers often exclude ‘acts of war’ from coverage and this exclusion often includes cyber claims. Thus, if you are the victim of a cybercrime committed by a foreign entity, your insurer my deny your claim. This was what occurred when Merck, a U.S. pharmaceutical company, fell victim to a widespread cyberattack in 2017. The ransomware made the company’s computers and networks inaccessible, destroying data across 40,000 computers in a major financial setback of $1.4 billion. While the company held a $1.75 billion insurance policy, including coverage for its software, their insurer denied the claim because they considered the attacks to be part of Russian hostilities against Ukraine. In 2019, Merck sued the insurer arguing that because the attack wasn’t “an official state action” by Russia, it shouldn’t fall under the “acts of war” clause in the policy. The New Jersey court ruled in Merck’s favor due to their strict interpretation of the insurance company’s “acts of war” clause, which didn’t specifically cite cyber incidents.

Often times in these cases, it may be difficult for businesses to file claims not only because of strict reporting guidelines and policy specifics, but also because damages must be proven to pursue a claim. In the case of cyberattacks, there may be no immediate physical loss, so damages aren’t readily apparent. Despite this, cyber insurance does reliably pay out claims. According to Marsh, U.S. insurance carriers paid cyber claims totaling an estimated $394 million in 2018 alone.

When facing cyber threats, not only is it important to have a specialist at your side, but someone who knows your business’ rights. Your business attorney should, therefore, also be well-versed in cybersecurity. Feel free to reach out to me should you need that type of assistance.

The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.