The recent WannaCry and Petya ransomware attacks should leave no company with the illusion that they are immune from attack. The targets included companies—large and small—from every industry, including preeminent financial institutions, major law firms, and leading hospitals. Businesses can and must invest in technology and training to help them minimize the likelihood of such attacks. But businesses also must have a game plan to deal with the aftermath of an attack.
Organizations can seek to offset some of the risk by purchasing insurance coverage. The risk of ransomware attacks usually is far more significant than the “ransom” payment itself. Rather, the attack can result in business interruption, loss of proprietary information, and customer and investor lawsuits for disclosure of confidential data and failure to prepare adequately.
Depending on the nature of the attack, there are several types of insurance policies that may respond to ransomware losses. Corporate counsel should review, among others, commercial general liability insurance policies, fidelity insurance policies, and cyber insurance policies in assessing coverage. More recently, some insurers also are selling stand-alone ransomware insurance products. In purchasing such products, companies should expect a detailed application process, with questions regarding employee training programs, how data is backed up, and corporate investment in cybersecurity technology.
In the event of a ransomware attack, businesses will want to have a plan in place to secure coverage for the loss. To date, the ransom payments demanded often have not been large. To obtain coverage for any ransom payment, however, businesses may need to seek the consent of their insurer. If an attack results in business interruption, the plan should include carefully documenting corporate losses. When an attack results in lawsuits filed against the company, quickly securing defense coverage with preferred outside counsel will be key.
If the recent attacks are any indication, ransomware attacks are only proliferating. In-house counsel and their outside attorneys are well-advised to look for ways both to avoid and minimize the risk.
Joseph Saka is counsel with Lowenstein Sandler LLP in the firm’s Washington, D.C., office.