Amidst the recent surge in ransomware attacks on U.S. businesses—with crypto criminals and sometimes State actors invading and encrypting computer and operating systems and extorting funds in exchange for the decryption key—one new ploy deserves attention from our perspective as insurance coverage lawyers. A new scheme involves demanding that the target provide details of its cyber insurance policies so that the payment demands can be adjusted to fall within the coverage the victim purchased.
This is a disconcerting, albeit predictable trend, but surrendering to these requests jeopardizes coverage. Policyholders are strongly advised to avoid cooperation or dialogue with attackers that would reveal policy limits or other coverage information, lest they void their coverage or embolden larger ransom demands.
A Brazen Approach
The following missive, relayed courtesy of Jason Hill at Varonis, is one such example of the approach taken by HardBit ransomware:
Very important! For those who have cyber insurance against ransomware attacks.
Insurance companies require you to keep your insurance information secret, this is to never pay the maximum amount specified in the contract or to pay nothing at all, disrupting negotiations.
The insurance company will try to derail negotiations in any way they can so that they can later argue that you will be denied coverage because your insurance does not cover the ransom amount.
If you told us anonymously that your company was insured for $10 million and other important details regarding insurance coverage, we would not demand more than $10 million in correspondence with the insurance agent. That way you would have avoided a leak and decrypted your information.
But since the sneaky insurance agent purposely negotiates so as not to pay for the insurance claim, only the insurance company wins in this situation. To avoid all this and get the money on the insurance, be sure to inform us anonymously about the availability and terms of insurance coverage, it benefits both you and us, but it does not benefit the insurance company.
This attack first began appearing in October 2022 and these attackers had already refined their approach one month later, moving to a “2.0” version of the attack in November 2022.
This attacker encourages dialogue—asking victims to contact them through an instant messaging platform or email—and presents an opportunity for the victim to escape simply by sharing information so that the hacker can induce the insurer to pay the full coverage limits. This approach appears on the surface to be an appealing outcome for the victim: Send the attacker the policy so that they can demand the full limits, cut down on protracted negotiations, and allow the company to return to normal operations as soon as possible.
Traps for the Unwary
Policyholders should resist the hackers’ demands along these lines, and instead share the demand letter with the insurer to allow the claim investigation and adjustment to proceed in the normal course. At its core, the offer invites policyholders to cooperate in targeting their own insurers—an ethical compromise of dubious efficacy that can also place the coverage itself in jeopardy. As painful as a ransomware attack is, an open line of communication with the insurers keeps their interests aligned with those of the policyholder and ensures that the insurers will seek a prompt resolution to minimize losses and avoid consequential damages. These advantages are potentially lost if the policyholder cooperates with hackers without the insurer’s express consent. And this is not the only risk:
1. As a general matter, engaging with ransomware threat actors is problematic because, among other reasons, the outcome after paying ransoms is not guaranteed. For example, attackers may not send decryption keys (or the key may not work). They might retain access to or copies of sensitive data. Or they could “name and shame” the victim after payment, threatening to disclose data if further ransom is not paid. In some cases, the criminal is after more than just cash; they may also be targeting IP, confidential data, or other valuable information.” For these reasons, as well as reducing the incentive for ransomware groups to operate, threat response experts recommend that victims avoid any ransom payments.
2. Some insurance policies may have terms specific to the payment of ransoms that expressly prohibit sharing information or prohibit direct contact between the policyholder and the attacker. (As discussed below, there are potential risks to coverage even if there is no express prohibition.)
3. Paying the ransom, even if successful, may not be the most effective and efficient way to restore operations to normal.
4. Payment to an entity that is on a sanctions list—even if inadvertent—could create additional exposure and trigger a sanctions exclusion in your insurance policy. Careful due diligence is mandatory to avoid potential issues. Familiarize yourself with relevant government guidance on this issue, including: (1) the November 8, 2021 FinCEN Advisory and (2) the September 21, 2021 Updated OFAC Ransomware Advisory.
5. Payment of a “limits loss,” even under a sub-limit, has a different impact on future premiums than a partial loss, so the insurer is not necessarily the only party that loses in this situation. You should discuss the impact of this approach with your broker to assess premium setting issues.
To be sure, there are situations where paying a ransom is prudent or necessary, such as when restoring operations would be difficult or impossible without a decryption key or when the time necessary to pursue another option would be disastrous to operations. But even assuming that a ransom payment is necessary, that the cyber-criminal is negotiating in good faith (to the extent the term “good faith” applies to criminal extortionists), and that there is no outright provision prohibiting sharing such information, the “share your insurance policy” approach would effectively set the price of ransom at the coverage limits. And it poses other potential traps for unwary policyholder that could undermine coverage:
1. Ransomware Sublimits
Ransom coverage is often excluded or offered as a deeply sublimited coverage extension, meaning that the total limits available under the policy cannot be used to pay a ransom in this circumstance. Sharing a policy is playing with fire, as attackers cannot be assumed to be coverage experts, and may demand full limits instead of sublimits.
2. Policyholder’s Duties under the Policy
Next, insurers impose duties on policyholders as conditions of the coverage provided. Policyholders are obliged to mitigate their losses, cooperate with the investigation and adjustment of the claim, and, sometimes, refrain from entering into a payment agreement or obtain the insurer’s consent before engaging in settlement negotiations or agreeing to a payment. “Cooperating” with an attacker—particularly by sharing information in writing and engaging in a dialogue—opens policyholders up to scrutiny by the insurers, even if the insurers are aware of the conversations.
The sample ransom note quoted above asks for the policy explicitly so that they can demand the full policy limit. It is easy to imagine a situation where, for example, an insurer argues that sharing policy limits with an attacker is a breach of the duty to mitigate because the policyholder knew or should have known that the attacker would not accept anything less than the available limits. Similarly, if the policyholder fails to notify the insurer of the conversations, the insurer could argue that the policyholder is withholding pertinent information about the claim or negotiating an unauthorized payment.
While these “breach of obligation” defenses vary in strength based on the specific policy wording and the applicable legal jurisdiction, it is best practice to avoid these types of situations if at all possible. In some jurisdictions, breach of a policy condition can be construed strictly against the insured, so even a technical violation can threaten coverage. Even in jurisdictions where the insurer is required to prove prejudice as a result of the alleged breach of a policy condition, the insurer may use the correspondence as grounds to determine whether a breach of the condition has in fact occurred—which leads to a third concern.
3. “Under Investigation”
Even if correspondence with an attacker about available insurance coverage does not lead to an outright denial of the claim, insurers may use the appearance of a potential impropriety to “investigate” whether such a breach has in fact occurred. This “investigation” will delay the claim payment and may involve invasive requests for information and examinations under oath of key employees. While there are limits to these investigations—especially if they are unfounded—disputes over the scope of an insurer’s investigation often leads to further allegations of non-cooperation and pushes the parties further along the paths of a future dispute. This is the last thing a policyholder needs when facing a ransomware event.
4. Coordination of Limits
Finally, payment of the full available ransomware limits reduces potential coverage available for government claims for breach of privacy laws and other violations, or for other third-party claims and business interruption losses. Cyber policies are “package policies” that cover many different potential losses related to various cyber events. Each of these separate coverages will often have a seemingly separate limit of liability that applies to claims made under that section. But many cyber policies have provisions that “batch” related claims, events or acts, so payments under one coverage grant reduce the available limits under other coverage grants.
Ransomware threats are constantly evolving and this latest tactic—potentially exacerbated by cooperation from unsophisticated victims—is a dangerous sign of things to come. Whether the HardBit approach is a portent of a new kind of extortion, a new condition of the standard playbook, or just the harbinger of more creative and invasive tactics, it is a development of concern and a matter for discussion with counsel, brokers and underwriters.