Policyholder Pulse
Out of the blue one morning, a destination hotel’s operator receives an email informing it that the hotel’s computer and electronic key systems have been infiltrated, leaving the hotel locked out of its 
own computer system and, even more distressing, preventing hotel guests from utilizing their key cards to gain entry to their rooms and other hotel amenities. The email demands payment in the amount of 2 Bitcoin (approximately $1,900) to restore computer and key card functionality, which will double if not paid by the end of the day. The email provides details to access a Bitcoin wallet to make the payment, and then ends by stating, “Have a nice day!”
The operator’s manager, cognizant of the fact that the hotel is at full capacity with skiers, hikers, and vacationers who paid premium daily rates to stay at the popular hotel, in the midst of receiving complaints from guests who cannot access their rooms and hotel staff who cannot create replacement key cards, and realizing that the hotel’s entire reservation system is inaccessible, determines that the most prudent course is to pay the relatively insignificant demanded amount.
If you think such a scenario sounds contrived, think again. This recently happened. How was it done? Through an increasingly common cyber attack known as ransomware. Ransomware is a form of malicious software that infiltrates computer systems or networks and uses tools like encryption to deny access or hold data hostage until the target pays a ransom, frequently through payment in Bitcoin. According to the FBI, after the initial infection, the ransomware attempts to spread to shared storage drives and other accessible systems. If the demands are not met, the system or encrypted data remains unavailable, or data may be deleted. Imagine a similar scenario unfolding at a hospital, where the threat is that vital equipment will be rendered inoperable through ransomware. (But again, no need imagine—at least 14 hospitals were attacked in 2016.)
With so many easy targets out there, it should come as no surprise that ransomware attacks are on the rise. DOJ recently reported that ransomware attacks in 2016 quadrupled to an average of 4,000 per day. The FBI estimated that in the first quarter of 2016, cyber criminals received approximately $209 million in ransomware payments. Extrapolated through the entire year, the number would reach almost $1 billion. Before you despair, take solace in the fact that insurance may be available to cover some or all of your losses.
The necessity of cyber insurance in some form or other cannot be questioned today. Most cyber insurance policies offer various “buckets” of coverage on an à la carte basis. One of these coverages is commonly referred to as “Cyberextortion” coverage. Typically, this coverage will pay for: (i) the money necessary to meet the extortion demand; (ii) the costs of a consultant or expert to negotiate with the extortionist; and (iii) the costs of an expert to stop the intrusion and block future extortion attempts.
Aside from enterprise risk management endeavors such as vigilance, secure data backup to media not connected or mapped to a live network, disabling macros, and diligent installation of software updates and patches, inclusion of cyberextortion coverage as part of your cyber insurance program is not only recommended, but is gaining momentum toward best practice in today’s commercial risk management world. Don’t get locked out of the room.