Colonial Pipeline, the biggest U.S. fuel pipeline, fell victim to a ransomware attack a few weeks ago in which it ultimately paid $4.4 million to its attackers. While the company reportedly had cyber-insurance protection through broker Aon and Lloyd’s of London, it is unknown whether it relied on its policy in paying the ransom. Additionally, just yesterday, JBS, the world’s largest meat supplier, became the latest ransomware attack victim. These recent high-profile attacks have underscored the disruption and risk that ransomware can create for even the most sophisticated of companies.

When properly procured, cyber-insurance can offer a buffer for companies impacted by a ransomware attack. However, the financial impact of these attacks goes well beyond the ransom payment. Business interruption, revenue loss, potential exposure of sensitive data and related third-party liability, restoration expertise, and ransomware negotiations, can all be part of a ransomware attack claim.

Over the past couple of years, many ransomware attack victims have utilized cyber-insurance to deal with either the ransom payment itself or the ensuing cost of remediation. Below are just a few examples:

• In June 2019, the city of Riviera Beach, Florida was hit by a ransomware attack in which the city council authorized the city’s insurer to pay a $600,000 ransom demand after crucial data was frozen and the systems that controlled city finances and utilities were taken offline.

• That same month, the city of Lake City, Florida paid ransomware attackers nearly $500,000 which the city announced would be mostly covered by insurance.

• In August 2020, the University of Utah paid a $457,000 ransom payment, in collaboration with its cyber-insurance provider, after an attack targeted the university’s servers.

And while ransomware victims are increasingly relying on their cyber-insurance providers to pay the ransom when hit with an attack, security and insurance experts warn that this approach may quickly become problematic.

Increase in Ransomware Attacks Causing Insurers to Suspend Coverage

Last year in the U.S., there were reported ransomware attacks on more than 100 federal, state and municipal agencies, 500 health care centers, 1,680 educational institutions and untold thousands of businesses, according to a report by Emsisoft, a cybersecurity firm. In fact, the increase in ransomware attacks and the use of cyber-insurance to pay out ransoms is causing some insurers to withdraw from the cyber-insurance space.

AXA, one of Europe's largest insurers, recently announced that it was suspending coverage in France for ransomware extortion payments. This move reflects a growing global sentiment that the current ransomware problem is being exacerbated by insurance coverage for ransom payments. While it is too early to tell for sure, it is possible that other insurers will follow in AXA's footsteps by suspending insurance coverage for ransomware attacks or limiting coverage for these types of payments.

What Can You Do?

In the short term, one can expect that insurers will require certain security standards as a precondition to obtaining coverage. It is also reasonable to expect that, ultimately, the insurance industry will adopt security baseline requirements as a standard for cyber-insurance. In the meantime, businesses should implement a proactive strategy for minimizing the risk of a successful attack, along with a well-rehearsed incident response plan to maximize an organization's ability to recover quickly.

It can be a huge undertaking for any business to ensure that it is adequately protected from, and properly prepared to respond to, a ransomware attack. Outside law firms that focus on business and insurance coverage issues can be helpful in implementing the aforementioned strategies to mitigate risk and, if necessary, assist in responding to a ransomware attack. If you need help reviewing your cyber-insurance policy or implementing the aforementioned strategies, I strongly recommend consulting with an experienced business or insurance coverage attorney.

Rick Duarte is the owner of The Duarte Firm, P.A., where he focuses his practice on business law. He received his law degree from the Emory University School of Law and has been named a “Rising Star” in Business Litigation by Florida Super Lawyers for 2016 – 2021. Rick also serves as general counsel to emerging and medium-sized businesses, guiding clients through corporate governance, risk management issues, and strategic decisions where business and law intersect.