It’s not a groundbreaking notion to suggest that an insurance company lacks altruism, but in the arena of cyber insurance, this misalignment between the motivations of the insured versus the insurer is serious. While a car insurer may try to lower the value of your totaled vehicle or put price caps on rentals, they ultimately tender the basic benefits provided in the policy. However, cyber insurance coverage is less reliable given the complexities and competing motivations following cyber incidents.
Following receipt of a cyber incident claim, an insurer is looking to minimize the risk of a lawsuit, avoid excess forensic costs, avoid replacing equipment, and may encourage ransomware payments to speed up the recovery. Above all else, cyber insurance companies are motivated to close the matter as quickly as possible and keep the costs low.
The insurer also keeps a bullpen of vendors, ranging from incident response vendors to breach counsel, for the insured’s use following a reported incident. Some of these vendors prioritize quantity of cases over quality of services, and aim (above all else) to keep the insurer happy – not the insured.
By obtaining status as a “preferred” or “panel” vendor, these vendors are automatically given new business every time the insurance company receives a new claim. The vendor then immediately contacts the insured (victim) for formal engagement, which is simultaneously encouraged by the insurer. The victim/insured is usually unaware of the incredible financial benefits the vendor reaps from its status as a “preferred” or “panel” vendor. And, as long as the insurance company remains satisfied by the vendor’s performance, play-to-win-with-cyber-insurance-carriersit will retain its preferred status.
Therefore, almost immediately following notice of the claim, the insured becomes guided, across multiple areas of concern, by vendors that work to keep the insurance company happy – not the insured. Even more aggravating is that the insured pays these same vendors for their misaligned loyalty.
The quality of forensics work can also greatly influence the progression of a cyber incident, and the insured is often unaware of what constitutes competent digital forensics and unable to properly advocate for themselves. If no one in the company knows what the term “volatile data” means, it is unlikely they will be able to make an informed decision on whether that is an important issue for the forensics to investigate when presented with their options. If the insurer is prioritizing speed and cost-efficient methods, bad actors may be able to escape the scope of a less invasive forensic investigation, leaving the insured open to re-encryption or subsequent incidents. Such cases only serve to interrupt the business of the insured, require the payment of additional deductibles, and higher insurance premiums for the same coverage.
Consider a severe ransomware event in which the insured maintains operations but maintained highly sensitive data that it fears will appear on the dark web. The decision as to whether to pay a ransom or extortion demand in exchange for the “return” of the data to the insured must be weighed against personal or even criminal liability. Insurers often offer coverage to the insured if the insured chooses to tender such extortion payments.
However, any officer or employee making ransomware payments may be subject to criminal charges for not only obstruction of justice (if there is an on-going state or federal investigation), [1] but also potential penalties imposed by Office of Foreign Assets Control (OFAC) for knowingly paying ransomware organizations based in places like Russia, China, or North Korea (hotbeds for ransomware organizations). Indeed, the U.S. continues to maintain economic sanctions against Russia, Iran, and North Korea that can make transferring funds to such countries illegal under U.S. export laws.
Public entities must be even more careful as states are beginning to pass laws making it illegal for a public entity to make a ransomware payment. Both Florida[2] and North Carolina[3] banned such payments, and other states require that these payments be reported to entities like the secretary of state. While these laws are not present nationwide, more and more states are considering them, with New York being an example of a major state considering these types of regulation recently.[4]
To combat the relationship between insurers and their preferred vendors, insureds are wise to retain local counsel and engage with law enforcement. Law enforcement can perform sophisticated forensics (for free) and answer the insured’s questions without agenda. Local counsel, which look to maintain long-term relationships with their clientele, advocate for the insured to maximize policy benefits without fear of retribution from insurers.
[1] https://www.justice.gov/usao-ndca/pr/former-chief-security-officer-uber-convicted-federal-charges-covering-data-breach
[2] Fla. Stat. § 282.3186
[3] N.C. Gen. Stat. § 143-800
Commentaires