Adjust Your Liability Insurance to Include Cyber Extortion Coverage
After reading a recent article about cyber security liability coverage and what losses are or are not covered (refer Ice Miller Legal Counsel, Q2/20), I spent a week searching for cases where the interface between insurance companies and the judicial system was as convoluted as in the case of G&G Oil Company of Indiana (2017). The firm fell victim to a ransomware attack that encrypted their network, servers and most workstations, rendering them inaccessible. This case went all the way to the Indiana Circuit Court of Appeals who ruled: limits the potential.
for a claim of a direct loss under computer fraud provisions to recover a ransom payment the victim has effectively, willingly made to the criminal hacker.” Further, “As the Court of Appeals reasoned, ransom payments themselves are not fraudulently induced because the attacker explicitly requests money from the victim in exchange for decryption, and the victim has the choice whether to pay the attacker.”
I was hard pressed to find many cases like G&G in the press. Not surprising, since court rulings on cyber-attacks is undesirable PR. Until customers are so compromised that the information becomes public knowledge do the legal aspects get aired. By then, customers see the ransomed company, not the cybercriminal, as the negligent culprit.
One can assume that all courts struggle with what is illegal, punishable and to what extent, relative to cybercrime offenses and the associated loss. I explored what the judicial system considers “deception” using the synonyms fraud, cheating, contrivance, misrepresentation while trying to ascertain why some courts rule that stealing or rendering useless the lifeblood of a company (its DATA!) is not a crime unless the act is done deceitfully. In the G&G case where the ransom was ruled unrecoverable, the cognitive phrase is “. a ransom payment the victim has effectively, willingly made to the criminal hacker”.
I seriously doubt anyone has willingly parted with money (a ransom) to regain use of their proprietary data, regardless of whether it was acquired through deceptive means, or a perpetrator is forthcoming (?!) by demanding a ransom. Either way, if my data is stolen and I want it back, I must pay something. Yes, fees are actually negotiable and there are people who do that for a living, as well!
What we can learn from the G&G case:
- Make sure ransomware response is part of your corporate planning and ask your insurance company what coverage you need to ensure most if not all your losses (and ransoms) would be (Refer “cyber extortion coverage” that can be an extension of a basic cyber liability protection plan).
- Don’t pay a ransom without first discussing it with your insurance
- Find out where you stand with recouping costs of other losses even if ransom payments are not recoverable, such as property coverage for computer data and software corruption as well as reduced computer systems’ speed and efficiency.
Lastly, in the good ‘ole days criminals were criminals and were punished, accordingly. Over time, formerly considered “criminal acts” have been redefined and subcategorized as devious, torturous, illegal, unconstitutional, fraudulent, felonious (to name a few), then deliberated by courts to determine whether the act being contested is punishable by law and to what degree. With modern complications to the judicial process, you are well served to learn how Cyber Extortion Coverage strengthens one’s position restoring “cyber loss” your business may need to claim.
And don’t forget that your best defense is a great offense: Engage a qualified cyber career specialist to help implement and document security measures your team is taking to thwart cyber criminals targeting your business!
Pamla Davitt, VP Business Development, Data-Guard 365
Data-Guard 365 is a MSSP firm headquartered in Indianapolis, Indiana, with offices in Chicago, Atlanta, and other strategic locations across the globe. The company is a one-of-a-kind business partner whose people, processes, and technology provide invincible cyber security for a price point that pays for itself.
www.Data-Guard365.com / (317) 967-6767 / info@data-guard365.com
Back to Articles/Blog
