In fact, ransomware has been around for several years, and has become the fastest-growing cause of cyber insurance business claims, according to data compiled by CFC Underwriting. The company says ransomware accounted for just over 10% of insurance claims a year ago, but it now accounts for almost a quarter of all claims. And in the week after the WannaCry attack, cyber insurance sales were 40% higher than the week before, indicating that companies are now taking the risks presented by ransomware seriously.
One reason for this is that it is very easy for criminals to download ransomware kits from the Internet and start spreading their own malware. This begs an important question: Are the risks of a ransomware attack best covered by cyber insurance, or by more conventional crime insurance? Some companies, put off by the high cost of cyber insurance, have tapped kidnap & ransom policies to cover some of the costs of a ransomware attack – and insurers have responded by limiting coverage for K&R policies in ransomware events. A cyber insurance policy may cost more – about two to four percent of the liability limits – but it will also cover more.
"Although ransomware attacks are a crime, the risk falls under cyber risk," said Bryan Banbury, the managing director of insurance broker Russell Scanlan. "Crime and cyber risks are often linked."
Losses that can be expected following a ransomware attack fall into several categories, including business interruption, which Banbury said would be covered, as well as the costs associated with removing infections from machines (which can be substantial) and recovering data that the ransomware makes inaccessible.
This raises other important questions. For example, does cyber insurance cover the cost of paying criminals the ransom demanded to regain access to locked data? If reliable backups are available, should companies try to recover data from backups first, even if would be less expensive to pay a ransom?
Banbury's advice is that in the event of a ransomware attack, victims talk over the possible courses of action with their insurers. "Most policies would cover paying a ransom, but they would pay the money to the client – insurers wouldn't want to get involved with criminals directly," he said. "But they would probably want a company to do everything they can from an IT perspective to get data back first. Paying a ransom would be the last resort because of the concern that the criminal would then come back with another attack."
It's important to keep the cost of paying a ransom in perspective, however: CFC Underwriting's data suggests that for an SME struck by a ransomware attack, the average cyber insurance claim is in the range of $15,000-$65,000. Of that, the majority is to cover the cost of specialized help to disinfect IT systems rather than pay ransoms.
For more on cyber insurance, see our primer "Cyber Insurance: Insuring Your Data When Protecting It Fails." For more on ransomware, see our series: "How to Stop Ransomware," "Common Types of Ransomware" and "Understanding Ransomware Vectors Key to Preventing Attack."