It will be interesting to see how much this pandemic has contributed to the cybercrimes totals worldwide.
Question:
It will be interesting to see how much this pandemic has contributed to the cybercrimes totals worldwide.
First, this forum will address the type of cybersecurity insurance coverage that is offered by insurance companies to include type of claim, type of coverage and estimated cost. Next, is a look at an example of a real world ransomware attack to see what insurance paid and/or if they paid the ransom.
Per Zureich & Graebe (2015) there is first party and third party insurance coverage for cyber security; the first party insurance is for the policyholder's own loses (data, income, harm) and third party insurance is a liability insurance for customer of policy holder for same type of loses as first party
Figure 1.0 Cyber Security Insurance Coverage Overview (e.g., Hamill, 2019).
1st or 3rd Party Coverage | Insurance Coverage Type | Description of Insurance Coverage |
1st Party | Theft and fraud | Covers destruction or loss of the policyholder's data as the result of a criminal or fraudulent cyber event, including theft and transfer of funds. (Note: most cyber policies do not cover the theft of funds. Crime insurance is usually needed to cover this type of loss). |
1st Party | Business interruption | Covers lost income and related costs when a policyholder is unable to conduct business due to a cyber attack event. |
1st Party | Extortion | Provides coverage for the costs associated with the investigation of threats to commit cyber attacks against the policyholder's systems and for payment to extortionists who threaten to obtain and disclose sensitive information. |
1st Party | Computer data loss and restoration | Covers physical damage to, or loss of use of, computer-related assets, including the costs of retrieving and restoring data, hardware, and software or other information destroyed or damaged as the result of a cyber attack. |
1st Party | Security Breach Remediation and Notification costs | Covers the costs to identify who was affected, notify customers, employees or other victims affected, forensic costs, and credit monitoring. |
1st Party | Crisis management | Covers crisis management and public relations expenses incurred to educate customers concerning a cyber event and the policyholder's expenses responding to the event. |
1st Party | Identity Theft | Expenses related to the business owner or their employees after identity theft. |
1st Party | Computer Fraud | Covers theft of money, securities, and other forms of tangible property through computer fraud and social engineering schemes. |
3rd Party | Network and Information Security Liability | Covers the costs associated with civil lawsuits, judgments, settlements, and penalties resulting from a cyber event resulting in unauthorized access, failure to provide notification, transmission of viruses, etc. |
3rd Party | Regulatory response | Covers the legal, technical, or forensic services necessary to respond to governmental inquiries relating to a cyber breach and provides coverage for fines and penalties. |
3rd Party | Communications and Media liability | Provides coverage for media liability, including coverage for copyright, trademark, or service mark infringement resulting from on-line publication by the insured. |
3rd Party | Advertising & Personal Injury | Damage caused by defamation on website or social media. |
3rd Party | Transmission of Virus or Malicious Content | Failure to stop the transmission of a computer virus or malicious content. |
3rd Party | Errors & Omissions | Loss caused by failure to provide proper network security. |
1st & 3rd Party | Data Breach Insurance | Claims of failure to protect personally identifiable information (PII) and protected health information (PHI) of clients. |
From the above we see there is not a specific cyber security coverage for ransomware or Internet of Things, likely one exists or it may be included one of the above coverage types.
Per a ransomware attack at Lake City, Florida, they did have insurance for their ransomware attack and thus only needed to $10,000 out of pocket after negotiating with their insurance provider, Florida League of Cities, to pay off the ransomware criminals (Mazzei, 2019). But, what was the cost of their cyber security insurance policy?
Hamill (2019)states the costs vary on type of industry, type of data they have and how many customers; but roughly speaking for a 1 million dollar policy it ranges from $1200 to $7500 annually. Even though an organization may have cyber security insurance coverage they may not file a claim if they weigh their options for what the ransomware criminal wants and cost to restore their environments, for example, the City of Baltimore decided to restore their systems spending $18 million dollars, but if they paid the cyber criminal, they would have needed to pay $80,000 (Mazzei, 2019).
- Do organizations that have cyber crimes need to file a police report for the insurance company to accept a claim?
- As most criminals can't be caught, what laws apply? Local? State? Federal? International?
- If the criminal, especially one who earned large sums from ransomware, is caught, will the insurance company pursue charges to get restitution for ransom money paid?
Stats Data and Models
ISBN: 978-0321986498
4th edition
Authors: Richard D. De Veaux, Paul D. Velleman, David E. Bock