According to the FBI, billions of dollars are lost every year repairing computer systems and networks hit by cyberattacks like ransomware. The 2019 Internet Crime Report notes that in 2019 alone, the FBI’s Internet Crime Complaint Center received 467,361 complaints of cybercrime with reported losses exceeding $3.5 billion. While the number of ransomware attacks has declined sharply, the amounts demanded in such attacks has increased. For example, BleepingComputer recently reported seeing ransom notes for the Ragnar Locker ransomware, which targets software commonly used by managed service providers, with demands ranging from $200,000 to about $600,000.
Some insurers selling cyber insurance offer to pay a ransom demand, which theoretically should allow the policyholder to get their data back. But what happens if you don’t have cyber insurance or the funds to pay the ransom? What if you pay the ransom and the criminals renege? If your computers and network are slowed but otherwise operable, will your traditional business owners’ insurance policy pay to replace the damaged computers and network?
Contrary to popular belief, paying a criminal’s ransom demand does not guarantee that you will get access back to your computers and data. The FBI does not advocate paying a ransom because in some cases, victims who paid a ransom were never provided with decryption keys to unlock their computers and data. Indeed, in a recent federal court case in Maryland, an embroidery company that was the victim of a ransomware demand paid the ransom and the criminal reneged. The company then had to hire a security firm to replace and reinstall the company’s software and install protective software on their computer system, but some software was lost forever. In the end, the computer system lost efficiency because the protective software slowed the system, and the company’s computer expert testified that there were likely dormant remnants of the computer virus on the system that could re-infect the entire system.
The State Auto business owners’ insurance policy appeared to cover the damage. But because the computer system was still operable, State Auto denied the claim. The case turned on the policy language that the insurer would pay for “direct physical loss of or damage to Covered Property,” where the term “Covered Property” included software and data stored on the computer. The court, citing other cases, held that “physical damage” was not restricted to the physical destruction of the computer, but included loss of access, loss of use, and loss of functionality. The court also rejected the insurer’s argument that the policy required an utter inability to function. Instead, the court reasoned:
The more persuasive cases are those suggesting that loss of use, loss of reliability, or impaired function demonstrate the required damage to a computer system, consistent with the “physical loss or damage to” policy language. Here, not only did Plaintiff sustain a loss of its data and software, but Plaintiff is left with a slower system, which appears to be harboring a dormant virus, and is unable to access a significant portion of software and stored data.
In the end, the court granted summary judgment for the embroidery company allowing it to recover more than $300,000 to replace its computer server, software, and data. The case is National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Company, No. SAG-18-2138 (D. Md. Jan. 23, 2020).
A list of the FBI’s cyber defense best practices can be found here.