Crawford mpany : Cyber Risk - To pay or not to pay, that is the question

The ongoing debate as to whether insurers are prepared to, or should, underwrite ransom payments and demands by cybercriminals continues to exercise the market. The paper explores the risks attaching to this muted shift in market practice, with specific reference to the potential impact on cyber BI claims and the ability to mitigate overall exposure.

In the GB Cyber Market Conditions Report 2021, the cyber-related business interruption was the coverage that buyers were most interested in purchasing at 68%. Cyber extortion/ransom was second in this list at 61%. The correlation between these two heads of cover is well known with disruption to operational activity now being a core modus operandi for threat actor whether that be through decryption, DDOS or stealing of data and/or intellectual property.

Some commentators have already expressed an opinion that the current 'normal' coverage whereby insurers provide cover for ransom payment provides a platform for threat actor activity as the insured has little to lose by paying a ransom quickly. The risk is transferred and if they are fortunate and the decryption keys supplied by the criminals restores data and files quickly, then they and insurers gain by mitigating any BI loss. Clearly, even under the current coverage, insurers and the insured must satisfy themselves that paying the ransom makes economic sense (no point in paying a $3m ransom to reduce BI costs by $1m) but even if the initial ransom demand is not economically viable, this can often be negotiated down by professional negotiators to create a scenario whereby the payment may be economically justified.

The risk attaching to no longer covering the ransom payment will be that in, practice, it will be difficult, if not impossible, for the insurer to have any direct input into whether or not the ransom should be paid, as if specifically excluded this now represents an uninsured loss. Consequently the insured will want to base the decision on whether or not to pay the ransom on business case alone, which may place the insurer and the insured at odds. Let's look at a worked example to see how this might play out.

ABC Ltd (the insured) suffers a cyber-attack and has a three-month maximum indemnity period. Hackers have demanded £1m for a decryption key.

The insured estimates that their BI loss will amount to £ 2m if they pay for the decryption key and are able to quickly restore their files and relevant data. If no ransom is paid they estimate their BI loss will be £4m as it will take longer to restore files and data. Under the current status quo, the ransom would be paid by insurers and insurers' total liability will be £3m (£2m BI + £1m ransom) as opposed to £4m if no ransom is paid.

If the insured is responsible for the ransom payment/cost per a specific exclusion, would they be contractually or legally obliged to pay the ransom? From their point of view, there is little point in paying the ransom as the increased BI costs arising from not paying the ransom will be the liability of insurers. If the insured pays the £1m ransom they will potentially be out of pocket by £1m. In such a scenario, insurers would clearly want the ransom to be paid as their liability for the BI loss reduces from £4m to £2m. Could insurers use the argument that the insured has a duty to mitigate their loss and thus are required to pay the ransom? One can certainly see this argument being used but of course, real-life bears little similarity to worked examples. The truth is that in the early aftermath of a cyber-attack, both insurers and the insured will find it difficult to estimate the potential BI loss if the ransom is paid/unpaid so it would be totally understandable for an insured to inform insurers that they don't believe payment of the ransom is economically justified, decide not to pay it, and then find several months later that the eventual BI loss is far greater than initially estimated.

A corollary of this is that the early involvement of forensic accountants to estimate potential BI exposure under various payment and non-payment scenarios becomes crucial. There may of course be other reasons for non-payment of the ransom aligned to the threat actor profile, sanctions checks or moral concerns. Research has also shown that companies who do pay a ransom are often attacked again at a later date as cybercriminals are now aware that they are a soft target or 'payers'.

Given the above, it seems probable that an insured will only be keen to pay a ransom where the BI loss outside the indemnity period (and consequently uninsured) is estimated to be reduced by an amount exceeding the ransom payment. It therefore seems certain that the exclusion of ransom payments by insurers may create a situation in which an insured is unwilling to pay a ransom even though payment will substantially reduce the liability of insurers. One questions whether, ultimately, insurers will be obliged to make a 'contribution' towards a ransom payment where they are the principal beneficiary even though this is specifically precluded by the policy.

There is of course a precedent for such an arrangement. In the food industry, supermarket suppliers who are unable to fulfil orders due to an insured event, such as a fire, are often hit with large 'penalties' by the relevant supermarket chain. These are to compensate the supermarket for having 'empty spaces' on shelves and allegedly losing sales although in reality alternative suppliers are often given a trial in such situations. Although there is usually no legal or contractual obligation to pay such a 'penalty', payment is often made to safeguard the future relationship with the supermarket. As penalties are almost always specifically excluded in most BI policies, insurers have no reason to indemnify the insured for such a payment. However, in practice, insurers often make a substantial contribution to the payment of such penalties as their own BI exposure will be significantly reduced by such payment. It remains to be seen if the exclusion of ransom payments will result in a similar sort of arrangement between insurers and the insured being arrived at.

A further possible consequence of such a move by an individual insurer is that cybercriminals will merely focus on companies whose cyber insurance policies cover the ransom payment. Cybercriminals unfortunately often gain knowledge of their target's insurance policy so this would not be a difficult step for them to take.

In conclusion, this is clearly an innovative and positive step in the fight against cyber-crime, but it may give rise to some unintended consequences which will need to be carefully monitored and managed to avoid a potential increase in Business Interruption exposure.

To find out more about Crawford's cyber expertise visit https://www.crawco.com/services/cyber-risk