Black Arrow Cyber Advisory 21/07/2022 – Cyber Insurance Policies: Misrepresentation and Ransomware pay-outs
Executive Summary
Ransomware attacks are becoming more prevalent and the costs for insurers are increasing. Traditionally, ransomware groups have encrypted an organisation’s data and demanded a ransom for the decryption key. However, in the last year, there has been a growing shift by the ransomware community towards exfiltration and then a threat to release the stolen data to extort money from their victims.. These factors have increased the financial pressure that cyber insurance companies are currently experiencing, which in turn has caused them to reconsider their obligations for settling claims. There are currently two significant court cases relating to ransomware insurance claims involving the Travelers insurance company.
The first case relates to Graff, a UK-based jeweller who paid a ransom of $7.5M to prevent the Russian-based ransomware gang Conti from releasing 69,000 confidential documents it had stolen. Graff published the following public statement regarding the dispute with their insurer: “We are extremely frustrated and disappointed by Travelers’ attempt to avoid settlement of this insured risk. They have left us with no option but to bring these recovery proceedings at the High Court.”
The second involves a filing with the US District court requesting a declaration that Travellers insurance contract with International Control Services (ICS) is invalid due to misrepresentation of Multi-Factor Authentication (MFA) controls on the company’s application for its cyber insurance policy. The application stated that MFA was used for administrative or privileged access. Subsequently, ICS were victim to a ransomware attack that resulted in a claim against their cyber insurance policy. As the insurer, Travelers conducted an investigation which revealed that ICS “only used MFA to protect its firewall, and did not use MFA to protect any other digital assets.”
What’s the risk to me or my business?
With the evolving threat of ransomware being ever prominent, it is critical that an organisation considers appropriate cyber controls across people, operations and technology to manage and effectively reduce its risk. Organisations often rely on cyber insurance to provide cover when these controls fail, however insurers are now demanding more evidence of robust cyber controls as they begin to better manage their own exposure to the increasing risks.
What can I do?
Ensure that leadership have an understanding of key cyber controls and what is covered within a cyber insurance policy. When considering ransomware payments, it should be clear what the policy will cover. Any declaration of cyber security controls should be informed by an appropriate cyber security expert with knowledge of what controls the organisation has in place, to ensure that the facts are correctly represented and are less likely to be used in a misrepresentation defence.
Further information on the above cases can be found here:
Need help understanding your gaps, or just want some advice? Get in touch with us.