What would you do if someone claimed to have accessed your customers’ private data and threatened to release the information unless you paid them $100,000?
E-Sports Entertainment Association League (ESEA), a competitive gaming community, received a message from a hacker last year claiming that they had obtained access to their users’ data. The hacker demanded payment of $100,000 or else they were going to release the information. ESEA remained in contact with the hacker as they attempted to patch the susceptibility that led to the breach. Members of ESEA received notification to change their passwords, but a week later the service was hacked again for a second time. The hacker threatened to sell the stolen data consisting of more than 1.5 million usernames, email addresses, passwords, security question answers, and private personal identifiable information like private messages, IP addresses, and phone numbers.
ESEA’s stance was that they do not comply with ransom threats, so the $100,000 was never paid to the hacker. Unfortunately, the hacker was not bluffing and user information from the breach found its way to LeakedSource, a searchable database website of hacked accounts.
Should ESEA have paid the $100,000 to protect their users’ private information? Is there an insurance policy that pays extortion threats?
Hardly a day goes by that we don’t hear about cyber extortion or a ransomware attack in the news. Cyber extortion involves an attack or threat to attack a company, which includes demands for money to stop the activity. Ransomware is the method that usually enables the extortion to be carried out. This comes in the form of a computer virus that prevents users from accessing files and data. The hacker(s) will encrypt data and hold it hostage until a sum of money is paid. If the money is not paid, the hacker(s) could permanently encrypt, delete, or expose personal identifiable information.
Cyber extortion is not covered under a general commercial liability, property, or crime insurance policy. But, on a properly written cyber policy, ESEA would likely have found coverage. With the partnership of a cyber insurance carrier, payment would have been made to the hacker in order to secure the data and dismiss the hacker. Depending on the carrier, a cyber liability policy can also provide an organization with a breach coach, forensic IT analysis, and financial assistance to determine the nature and extent of the breach, as well as notification costs that are legally mandated in 47 states. A cyber liability policy can also cover costs associated with the burden of a third party claim or suit related to a breach.
Below are a few things to consider when evaluating cyber liability coverage for extortion:
- Make sure the policy includes business interruption coverage – Many carriers include business interruption coverage for lost revenue due to a system being shut down or held hostage by a cyber-attack, making the network unusable until demands are met. Some carriers will not automatically include this coverage; it may need to be added by endorsement.
- Check if the policy has an exclusion for failure to maintain security standards – This exclusion could result in the carrier denying a claim if the firewall, anti-virus software, or other security measures are not up to date.
- Be aware that a policy may require that payment of money demanded by an extortionist must be made at the direction of law enforcement – While it’s a good idea to get law enforcement involved when a breach occurs, law enforcement might direct the involved parties to not pay the hacker’s ransom. Law enforcement may take this position because of the belief that it could inadvertently encourage a criminal business model and further increase the risk to be targeted again. In the event of an extortion claim, the decision whether a payment is made or not should ultimately be between the client and insurance company.
- Check coverage for repeated extortion demands by the same hacker – Some carriers include policy language that states they will not pay for repeated demands by any single extortionist or group of extortionists.
The above are a few of many important factors to consider when purchasing a cyber liability policy. One of the leaders in cyber insurance, Lloyd’s of London, projects a surge in cyber liability policies in 2017 after a 50% increase in 2016. Additionally, there was a reported 78% increase in cyber claims from 2015 to 2016, many being extortion related. That number alone verifies the increased incidence of cyber-crime and the vital need for cyber liability insurance. As your business continues to integrate more technology into your operations, consider how to best protect that technology from being breached and how to ensure your business can offset potentially devastating effects in the event a breach occurs.
Hausmann-Johnson Insurance takes great pride in being on the cutting of cyber trends and can help tailor coverage based on your exposures. If you want to know more about cyber liability, or would like your current cyber policy audited, please contact your Hausmann-Johnson Insurance professional today.
Interested in learning more about protecting your business from cyber threats? Register for our IT Security webinar.