On June 27, 2017, the world had its second major ransomware attack in two months, and experts are predicting more to come. The first, named WannaCry, began May 12, and quickly spread to over 400,000 machines, the vast majority of which were using outdated Windows operating systems. Within one day the virus was in 150 countries. Within four days the damages were estimated at over a billion dollars. So far only around $130,000 has been paid into Bitcoin accounts, and none of the money has been touched. Indeed, it is unlikely the criminals will be able to access the money without being traced.
Again on June 27, 2017, the world was hit with another ransomware attack, a variant of Petya known ransomware, aptly named NotPetya. On day one, 80 companies in Russia and Ukraine were affected. Within one week it hit 2,000 users in Russia, the European Union, the United States, Asia, and Australia. This attack used a more sophisticated virus, locking entire computer systems, and unlike WannaCry there is no kill switch, a successful device that researchers developed to stop the spread of WannaCry. The virus affected banking, government, airports, and corporations. Even the Chernobyl plant was affected, where radiation monitoring had to occur manually. This attack, which only demands 300 bitcoins to unlock data, was reportedly not designed to make money, but only to cause mayhem. Some are calling it more of a cyber weapon than ransomware. Indeed, there is no way to pay the ransom any longer as the emails attached to the bitcoin accounts were shut down.
Both of these attacks exploited outdated software which allowed the virus to spread through networks to any vulnerable computer. The hacking tools permitting the criminals to continue their efforts were reportedly leaked from the NSA and, most importantly, impacted companies that continue to delay system-wide updates to their networks. According to experts, ransomware is growing at a yearly rate of 350%. Damage costs from Ransomware in 2017 are estimated to exceed $5 billion, including possible loss of data, lost business income, investigation, restoration, business interruption, and reputational harms.
Companies have experienced business income losses from these recent ransomware cyber-attacks. Unfortunately, there will be more attacks in the future. Can the companies which have suffered these losses turn to their insurers and expect to be covered for these losses? The answer will depend on the type of policy the company purchased, its terms and conditions, and the specific facts of each claim.
Numerous insurers offer cyber insurance, either as stand-alone policies or via an endorsement. The policies’ coverages, terms, and limits may vary. There is no standard cyber insurance form. If a company has a cyber policy and suffers a loss from a ransomware event, look carefully at the policy’s coverages to see if coverage is triggered in the first place in light of the facts. If coverage is triggered, then examine the exclusions, as one or more may apply in light of facts of a particular claim. It may be that the policy has a malware or ransomware exclusion, which means there is no coverage. If there is coverage, then look to the policy to determine the types of costs recoverable, and also be cognizant of limits, sub-limits, and policy conditions.
A cyber policy typically provides first-party coverage for certain costs an insured company may incur because of a breach or other covered event. These costs may include: (a) investigation costs, including computer forensic services; (b) customer notification costs; (c) costs for data restoration, re-creation and/or system recovery; (d) crisis management or public relations costs; (e) business income losses; and (f) legal fees. If a cyber policy does provide coverage for an insured’s business income losses caused by ransomware (or other forms of malware), there may be a limit to the amount of the coverage.
A cyber policy typically also provides third-party liability coverage. In general, the insurer will agree to defend and/or indemnify the insured if a third party, who suffers a loss allegedly due to the insured’s conduct, brings a claim against the insured. Once again, look to the specific policy language to determine whether coverage is triggered in the first place in light of the facts.
Do traditional first-party property policies and commercial general liability policies provide coverage for an insured’s losses from ransomware cyber-attacks? Most likely, the answer is no.
Commercial first-party property policies require direct physical loss or damage to insured property from a covered cause of loss. If there is a ransomware attack, the threshold coverage issue is whether there was, in fact, direct physical loss or damage. If there was no physical loss or damage, coverage is not triggered. Depending on the facts, it may be extremely difficult for an insured to show physical loss or damage to its property from a ransomware attack.
First party policies may also include coverage for business income losses. Business interruption insurance is designed to compensate an insured for its actual business interruption losses resulting directly from physical damage by an insured peril to the insured’s covered property. An insured has the burden to establish: (1) physical damage; (2) caused by a covered peril; (3) to covered property; (4) an actual and necessary interruption of the insured’s business; (5) the interruption must be caused by the insured physical damage; and (6) actual loss resulting directly from the interruption of the business. See also K. Clark Schirle, Time Element Coverages in Business Interruption Insurance, The Brief, Fall 2007. Once again, the insured has a heavy burden to prove physical loss or damage before it can trigger coverage for business income losses from a ransomware attack.
Even if an insured were successful in proving physical loss or damage to its property from a ransomware attack, other provisions may apply to bar coverage. The property policy may state that electronic data is not covered property. Commercial first-party policies typically contain an exclusion for losses arising out of damage to or destruction of electronic data. The first party policy may also contain an exclusion for losses arising from the use of a computer, computer system, software program, malicious code, computer virus or process, or any other electronic systems as a means of inflicting harm. The policy may also contain a terrorism exclusion.
Accordingly, a traditional first-party property policy will probably not provide coverage if a company suffers a ransomware attack.
Similarly, a company will most likely be unable to recover under a traditional third party commercial liability policy if a third party brings a claim against it relating to a ransomware attack. Typically, liability policies provide that they will pay on behalf of the insured sums the insured becomes legally obligated to pay as damages because of bodily injury or property damage arising from an occurrence. Property damage is usually defined as physical injury to tangible property. As with property policies, the insured may have an extremely difficult time proving there was property damage to trigger coverage. Further, many policies state that electronic data is not “tangible property”, which means there would be no coverage. Even if the insured could overcome those hurdles, liability policies also usually include exclusions, such as electronic data exclusions, which would apply in the event of a claim involving a ransomware attack.
Although ransomware attacks have existed for some time, they have recently increased in scope and severity. There will be more in the future. Unfortunately, companies around the world have suffered significant losses from these attacks. If a company submits its losses to an insurance carrier, one has to carefully study and analyze the types of policies the company has purchased, and the policies’ coverage terms, conditions, and exclusions in light of the facts. As a general rule, if the company has purchased a cyber policy, there may be coverage for certain costs that result from a ransomware attack. If the company has a traditional first-party or liability policy, there is most likely no coverage.