Cyber attackers might use ransomware to threaten and demand different things, with differing consequences for claiming with a cyber or K&R policy

Willis

How might a kidnap and ransom insurance (K&R) policy perform compared to standalone cyber insurance in response to a malware attack?

Cyber extortion against companies, and how insurance products respond to it, was the topic of a breakfast briefing held in London by law firm Clyde & Co.

Clyde & Co partner Michelle Crorie advised insurers to distance themselves from legal risk by offering policies reimbursing the client where a ransom is then paid.

Any response consultant communicating with the attackers would still need to carry out due diligence, stressed Crorie.

Prison warning

Companies or their insurers using cyber extortion policies to make ransomware payments were warned about the potentially criminal consequences of failing to carry out proper due diligence when responding to ransomware demands, or else they risk falling foul of counter-terrorism laws, which differ markedly country by country.

Will Healy, associate in cyber insurance with Clyde & Co, explained that in the UK section 17A of the Terrorism Act of 2000 meant any firm making a payment, whatever the mode of attack, needed to be confident the payment was not being made to groups attacking for the purposes of terrorism.

The consequences of breaching this law include a prison sentence of up to 14 years, a fine, or both, he warned.

Healy said: “The question of when an offence is committed under section 17 is a little bit of a grey area because you can commit an offence if you have reasonable cause to suspect that the payment is to be made in response to demands made for the purposes of terrorism.

“There’s not an enormous amount of guidance on how that provision is to be interpreted, but it is clear that insurers do not need to prove beyond all doubt that the payment will not be made for the purposes of terrorism. So that is positive,” continued Healy.

“Equally however, it does not mean that an insurer has carte blanche to pay a ransom without carrying out any sort of due diligence. It is not acceptable to say, ’I have no idea who is making this ransom demand, I’m not going to do any investigations into the identity of the person making the demand, and because of this I have no cause to suspect it is a terrorist and so I’m going to pay it.’ That’s not an acceptable stance to take,” Healy added.

Guidance from Lloyd’s in 2015 recommended carrying out “enhanced due diligence checks in line with their general money laundering obligations”.

Healy explained this meant analysis of the threat made and the actions of the extortionists, and that it was almost always necessary to engage with forensic investigators.

Any suspicion that the payment will be made for the demands of terrorism was enough reason for the payment not to be made. Further investigations would then be required to confirm or deny the suspicions.

If the suspicions cannot be eliminated, the only way in which payment can be made is to seek consent from the National Crime Agency. Healy recommended a strong compliance framework was necessary to handle ransom demands.

K&R / cyber extortion

Crorie explained how kidnap and ransom insurance could cover cyber extortion, and how the quality of the response consultant had been a key feature in the sale of these policies.

She said she expected this to soon become the case with newer cyber policies protecting against extortion, but highlighted key differences between the two types of policy.

Among these differences included business interruption costs generally included in cyber policies and more significantly the requirement in K&R policies that the attacker make some demand.

She said: “If somebody were to come into your system and takes money or takes data out to do what they wish with it for whatever nefarious purpose, this would not be covered under a traditional K&R policy.

“But if they actually ask for some kind of payment in order to prevent the access or prevent the use of the information, then it does fit within a K&R policy.”

Cyber policies were described as more ambiguous in how they could be interpreted around cyber breaches of security.

She added: “Cyber extortion in cyber policies can be slightly different to K&R mainly because they didn’t evolve in the same way from the tradition concept of extortion. Rather they start from cyber issues and move towards extortion.

“So cyber policies use slightly more technical language in the way that they cover cyber extortion, but actually their definitions are looser, which may or may not be a benefit.

“So whereas we have very tight wording in K&R policies around the threat that needs to be made demanding a ransom, which is either money or services from the victim, the kinds of cyber extortion that we’ve seen from cyber policies involve things like a threat to breach data security or a threat of having an impact on computer systems or a threat to reveal sensitive business data.”

She warned this meant in the case of a cyber attacker demanding something other than money or services, such as activists demanding an employee be fired, a K&R policy may not provide cover.

Be sure to check out this recent editorial by StrategicRISK editor David Benyon, on the blurring of cyber, ransomware, and K&R risks.