For the last two weeks, I have had more phone calls and/or emails about Ransomware coverage and limits than I have had in the past year. Since the Colonial Pipeline ransomware disaster, it seems that many banks that have a connection to the internet are in a semi-panic about insurance coverage for this exposure. There is a great deal of confusion about what Ransomware is and where the insurance coverage can be found. This newsletter will help to clarify this situation.
What is Ransomware?
“Ransomware” is just another word for Cyber Extortion. This is a threat to your computer system from a hacker or disgruntled employee placing, or threatening to place, a virus that would destroy or shut down your computer system. The idea is that if you pay a “ransom” the Cyber Extortionist will remove the virus, not place the virus, or not steal the sensitive data stored on the bank’s computer system. It is very similar to the good ole fashion bomb threat. Here, an extortionist says there is a bomb in a bank building or an employee’s home, and unless a certain sum of money is paid, they will explode the bomb. In the case of “ransomware” the virus is the “bomb.” So where is the insurance coverage?
Insurance Coverage for Ransomware
Unfortunately, the insurance coverage can often be found in TWO places. Yes, I meant “unfortunately.” Ransomware is a “first party” exposure, in that, it only harms the bank (at least, initially). By “first party,” I mean that it is a CRIME exposure and not a Liability exposure. Right now, no one is suing the bank, and therefore, the loss is only to the bank. Extortion, whether it be a threat to the bank’s computer system or the bank’s personnel, is a crime and therefore best addressed in the Financial Institution Bond. Most insurers of Financial Institution Bonds freely include Kidnap/Extortion coverage usually without a deductible applying. The coverage usually includes the standard Kidnap, Ransom, and Extortion perils, as well as Cyber Extortion.
However, you need to examine your policy closely in this area, as many insurance companies are now placing a sublimit for Cyber Extortion, or excluding it altogether, for the reason of potentially serious losses in the Cyber Extortion area.
At the beginning of this section, I stated that unfortunately coverage could be found in TWO places. Most Cyber Liability policies will include a First Party coverage section which would include Cyber Extortion. If coverage is purchased here, there are now two policies covering the same exposure. Both policies will have an “Other Insurance Clause,” which states that their policy will be secondary to any other applicable coverage. This REALLY gets to be a problem when two different insurance companies are involved. Which company will pay for the loss? Will they share in the loss? The Bond coverage usually does not have a deductible whereas the Cyber Liability usually has a hefty one making this situation even more complicated. Cyber Extortion losses are complicated enough without two insurance companies being in conflict over who is going to cover the loss and for how much!
I advise my clients to cover this exposure under the Bond Kidnap/Extortion area making sure there is no sub-limit for Cyber Extortion and EXCLUDE it from the Cyber Liability policy. This solves the Other Insurance problem. If the Bond carrier will agree to be primary, all the better. Then, the Cyber Liability policy will be excess over the Bond.
In conclusion, let me make a short note on what LIMIT to purchase in the Kidnap/Ransom/Cyber Extortion area of the Bond. Most Bond carriers will confine the limit in this area to no more than the Employee Dishonesty limit of the Bond. I recommend obtaining the maximum amount possible for this exposure.
Hopefully, this article has given you some ideas on how to plan your insurance coverage for this risk of loss.