Log in
Forgot password ?
Become a member for free
Sign up
Sign up
New member
Sign up for FREE
New customer
Discover our services
Dynamic quotes 


Delayed Quote. Delayed Nyse - 07/30 04:10:00 pm
10.35 USD   -0.48%
07/30CRAWFORD MPANY : Farmers devastated after losing crops to hail damage
07/29CRAWFORD MPANY : Invoking the appraisal process
07/28CRAWFORD MPANY : At the speed of digital
SummaryMost relevantAll NewsAnalyst Reco.Other languagesPress ReleasesOfficial PublicationsSector newsMarketScreener Strategies

Crawford mpany : Cyber Risk - To pay or not to pay, that is the question

06/14/2021 | 06:31am EDT

The ongoing debate as to whether insurers are prepared to, or should, underwrite ransom payments and demands by cybercriminals continues to exercise the market. The paper explores the risks attaching to this muted shift in market practice, with specific reference to the potential impact on cyber BI claims and the ability to mitigate overall exposure.

In the GB Cyber Market Conditions Report 2021, the cyber-related business interruption was the coverage that buyers were most interested in purchasing at 68%. Cyber extortion/ransom was second in this list at 61%. The correlation between these two heads of cover is well known with disruption to operational activity now being a core modus operandi for threat actor whether that be through decryption, DDOS or stealing of data and/or intellectual property.

Some commentators have already expressed an opinion that the current 'normal' coverage whereby insurers provide cover for ransom payment provides a platform for threat actor activity as the insured has little to lose by paying a ransom quickly. The risk is transferred and if they are fortunate and the decryption keys supplied by the criminals restores data and files quickly, then they and insurers gain by mitigating any BI loss. Clearly, even under the current coverage, insurers and the insured must satisfy themselves that paying the ransom makes economic sense (no point in paying a $3m ransom to reduce BI costs by $1m) but even if the initial ransom demand is not economically viable, this can often be negotiated down by professional negotiators to create a scenario whereby the payment may be economically justified.

The risk attaching to no longer covering the ransom payment will be that in, practice, it will be difficult, if not impossible, for the insurer to have any direct input into whether or not the ransom should be paid, as if specifically excluded this now represents an uninsured loss. Consequently the insured will want to base the decision on whether or not to pay the ransom on business case alone, which may place the insurer and the insured at odds. Let's look at a worked example to see how this might play out.

ABC Ltd (the insured) suffers a cyber-attack and has a three-month maximum indemnity period. Hackers have demanded £1m for a decryption key.

The insured estimates that their BI loss will amount to £ 2m if they pay for the decryption key and are able to quickly restore their files and relevant data. If no ransom is paid they estimate their BI loss will be £4m as it will take longer to restore files and data. Under the current status quo, the ransom would be paid by insurers and insurers' total liability will be £3m (£2m BI + £1m ransom) as opposed to £4m if no ransom is paid.

If the insured is responsible for the ransom payment/cost per a specific exclusion, would they be contractually or legally obliged to pay the ransom? From their point of view, there is little point in paying the ransom as the increased BI costs arising from not paying the ransom will be the liability of insurers. If the insured pays the £1m ransom they will potentially be out of pocket by £1m. In such a scenario, insurers would clearly want the ransom to be paid as their liability for the BI loss reduces from £4m to £2m. Could insurers use the argument that the insured has a duty to mitigate their loss and thus are required to pay the ransom? One can certainly see this argument being used but of course, real-life bears little similarity to worked examples. The truth is that in the early aftermath of a cyber-attack, both insurers and the insured will find it difficult to estimate the potential BI loss if the ransom is paid/unpaid so it would be totally understandable for an insured to inform insurers that they don't believe payment of the ransom is economically justified, decide not to pay it, and then find several months later that the eventual BI loss is far greater than initially estimated.

A corollary of this is that the early involvement of forensic accountants to estimate potential BI exposure under various payment and non-payment scenarios becomes crucial. There may of course be other reasons for non-payment of the ransom aligned to the threat actor profile, sanctions checks or moral concerns. Research has also shown that companies who do pay a ransom are often attacked again at a later date as cybercriminals are now aware that they are a soft target or 'payers'.

Given the above, it seems probable that an insured will only be keen to pay a ransom where the BI loss outside the indemnity period (and consequently uninsured) is estimated to be reduced by an amount exceeding the ransom payment. It therefore seems certain that the exclusion of ransom payments by insurers may create a situation in which an insured is unwilling to pay a ransom even though payment will substantially reduce the liability of insurers. One questions whether, ultimately, insurers will be obliged to make a 'contribution' towards a ransom payment where they are the principal beneficiary even though this is specifically precluded by the policy.

There is of course a precedent for such an arrangement. In the food industry, supermarket suppliers who are unable to fulfil orders due to an insured event, such as a fire, are often hit with large 'penalties' by the relevant supermarket chain. These are to compensate the supermarket for having 'empty spaces' on shelves and allegedly losing sales although in reality alternative suppliers are often given a trial in such situations. Although there is usually no legal or contractual obligation to pay such a 'penalty', payment is often made to safeguard the future relationship with the supermarket. As penalties are almost always specifically excluded in most BI policies, insurers have no reason to indemnify the insured for such a payment. However, in practice, insurers often make a substantial contribution to the payment of such penalties as their own BI exposure will be significantly reduced by such payment. It remains to be seen if the exclusion of ransom payments will result in a similar sort of arrangement between insurers and the insured being arrived at.

A further possible consequence of such a move by an individual insurer is that cybercriminals will merely focus on companies whose cyber insurance policies cover the ransom payment. Cybercriminals unfortunately often gain knowledge of their target's insurance policy so this would not be a difficult step for them to take.

In conclusion, this is clearly an innovative and positive step in the fight against cyber-crime, but it may give rise to some unintended consequences which will need to be carefully monitored and managed to avoid a potential increase in Business Interruption exposure.

To find out more about Crawford's cyber expertise visit https://www.crawco.com/services/cyber-risk


Crawford & Company published this content on 14 June 2021 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 14 June 2021 10:30:05 UTC.

© Publicnow 2021
All news about CRAWFORD & COMPANY
07/30CRAWFORD MPANY : Farmers devastated after losing crops to hail damage
07/29CRAWFORD MPANY : Invoking the appraisal process
07/28CRAWFORD MPANY : At the speed of digital
07/27DON'T ‘WRITE OFF' RECOVERIES : insurer pays claim, CLS uncovers fraud & su..
07/27PRESS RELEASE : Spruce Ridge Declares Dividend-in-kind of Shares of Canada Nicke..
07/26CRAWFORD MPANY : Investing in employee wellbeing
07/22GAP INSURANCE FRAUD : turns out, a picture does not tell a thousand words
07/21CRAWFORD MPANY : Barrington Research Initiates Coverage on Crawford & Company Wi..
07/20GAP INSURANCE FRAUD : turns out, a picture does not tell a thousand words
07/19£26K GAP CLAIM DECLINED : policyholder deliberately drives Range Rover into the ..
More news
Financials (USD)
Sales 2021 1 032 M - -
Net income 2021 34,3 M - -
Net Debt 2021 - - -
P/E ratio 2021 17,3x
Yield 2021 2,32%
Capitalization 559 M 559 M -
Capi. / Sales 2021 0,54x
Capi. / Sales 2022 0,53x
Nbr of Employees 7 947
Free-Float 49,6%
Duration : Period :
Crawford & Company Technical Analysis Chart | MarketScreener
Full-screen chart
Technical analysis trends CRAWFORD & COMPANY
Short TermMid-TermLong Term
Income Statement Evolution
Mean consensus BUY
Number of Analysts 4
Last Close Price 10,35 $
Average target price 12,00 $
Spread / Average Target 15,9%
EPS Revisions
Managers and Directors
Rohit Verma Chief Executive Officer & Director
Joseph Odilo Blanco President & Director
William Bruce Swain Chief Financial Officer & Executive Vice President
Michelle E. Jarrard Non-Executive Chairman
Andrew Bart President-Global Technical Services
Sector and Competitors
1st jan.Capi. (M$)
ALLIANZ SE4.63%102 645
CHUBB LIMITED9.63%75 881