June 15, 2021

Ransomware Considerations: Cyber-Insurance Renewal Process May Not Be What It Used to Be

With news about cyber attacks seeming to crop up almost daily, considerations about potential ransomware attacks extend beyond information security officers. Alston & Bird recently issued a memo addressing considerations about ransomware attacks for the general counsel.  Among other things, one of the items covered in the memo relates to how increased ransom payments have placed strains on the insurance industry.  The memo warns that companies may encounter a more rigorous underwriting and renewal process than they’ve experienced in prior years.

Indeed, as companies seek to acquire new cyber-insurance policies or renew existing ones, the insurers’ enhanced diligence procedures may require additional disclosures or the implementation of new or more stringent cybersecurity procedures to meet the insurer’s standards. Policies can often require a checklist of specific security controls to be in place and periodically tested for effectiveness, for example, which are designed to mitigate the risk of ransomware.

Other insurers are taking different approaches. Just this week, one European insurer announced that it will no longer issue cyber-insurance policies in France that reimburse insureds for ransom payments.

There is also the risk that an insured company may find that its policy’s pre-approval process for the retention of outside counsel, forensic experts, ransom payment facilitators, and even the potential ransom payment itself is in tension with the company’s interest in a swift and immediate response to a ransomware event. The extent to which the policy includes recovery costs can pose an additional challenge if a policy does not treat expenses related to the forensic investigation, ransom payment itself (if applicable), and rebuilding affected systems as covered recovery costs.

– Lynn Jokela