Kidnap coverage used against ransomware attacks
Insurers see customers' claims becoming more common
NEW YORK/LONDON — Companies without cyber insurance are dusting off policies covering kidnap, ransom and extortion in the world’s political hot spots to recoup losses caused by ransomware viruses such as WannaCry, insurers say.
Cyber insurance can be expensive to buy and is not widely used outside the United States. One insurer previously described the cost as $100,000 for $10 million in data breach insurance.
Some companies do not even consider it because they don’t think they’re targets.
The kidnap policies, known as K&R coverage — for kidnap and ransom — typically are used by multinational companies seeking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America.
Companies also could tap them to cover losses following the WannaCry attack, which used malicious software known as ransomware to lock up more than 200,000 computers in more than 150 countries, and demand payments to free them.
Payouts on K&R for ransomware attacks may be lower and the policies less suitable than those offered by traditional cyber insurance, insurers say.
“There will be some creative forensic lawyers who will be looking at policies,” said Patrick Gage, chief underwriting officer at CNA Hardy, a specialist commercial insurer, in London.
He added, however, that given K&R policies are geared toward a threat to lives, “our absolute preference is that people buy specific cover, rather than relying on insurance coverage that is not specific.”
American International Group Inc. (AIG), Hiscox Ltd. and the Travelers Cos. Inc. have been receiving ransomware claims from some customers with K&R policies as ransomware attacks become more common, the companies said.
The insurers declined to comment on total claims, citing confidentiality and client security concerns.
“We are seeing claims (over the past 18 months) but not a huge uptick,” a Hiscox spokeswoman said. “These are within expectations and entirely manageable.”
She declined to say whether the company had seen any such claims from the WannaCry attacks though Tom Harvey, an expert in cyber risk management at catastrophe modeling business RMS, said “insurers with kidnap and ransom books will want to look closely at their policy wordings to see whether they are exposed.”
A sharp rise in ransomware attacks in the past 18 months has driven companies to use K&R policies to cover some of their damages if they do not have direct cyber coverage or cannot meet initial cyber policy deductible costs, insurers said.
Symantec Corp., a cyber security business based in Mountain View, Calif., observed more than 460,000 ransomware attempts in 2016, up 36 percent from 2015, the company said. The average payment demand ballooned from $294 to $1,077 — a 266 percent increase.
But as the threat mounts, K&R insurers are at risk from steeper claims than they had anticipated. They are responding by making changes to their policies, which were not designed around ransomware, insurance brokers said.
MORE DAMAGING THAN KIDNAPPING
Most of the computers affected by WannaCry were outside the United States, where companies have been slow to buy cyber insurance. Nearly 90 percent of the world’s annual cyber insurance premium of $2.5 billion to 3 billion comes from the U.S. market, according to insurance broker Aon PLC.
Global companies typically buy K&R policies without ransomware in mind. But instances of high-tech hacks and online ransom demands can hit a company’s business more than an executive being held hostage.
“If your CFO gets kidnapped, the company is going to continue to function,” said Bob Parisi, cyber product leader for insurance broker Marsh, a subsidiary of Marsh and McLennan Cos.
“If you get a piece of malware in the system, you might have two factories that stop working. The actual damage is probably greater.”
The K&R policies, which typically do not have deductibles, cover the ransom payments as well as crisis response services, including getting in touch with criminal and regulatory authorities, said Kevin Kalinich, global head of Aon’s cyber risk practice.
Still, K&R policies may provide only a quick fix as they were not designed for ransomware. Companies can add coverage for business interruption, but the upper limits for payouts are usually lower than for a cyber policy, insurers say.
K&R insurers have been adapting to ransomware-related claims — some are modernizing coverage by setting up Bitcoin accounts for clients to speed up ransom payments, brokers said.
But insurers are mindful of their own risks.
Some have added deductibles, said Anthony Dagostino, head of global cyber risk at Willis Towers Watson PLC advisory and brokerage.
AIG has reduced business interruption coverage for K&R policies to a $1 million maximum for cyber extortion events.
“Insurers didn’t anticipate there would be this much ransomware activity,” said Tracie Grella, global head of cyber risk insurance at AIG.