Most of you are probably aware of the Hollywood Presbyterian Medical Center data breach. On February 5, 2016, hackers froze the hospital out of its electronic patient records. Reports have indicated that the hospital had no access to those records until it paid a $17,000 ransom almost two weeks later. Over the past month, there have been at least 14 similar attacks reported by hospitals in California, Kentucky, D.C. and Maryland. The critical nature of data security for heavily regulated healthcare institutions is nothing new, but the threat that hackers will encrypt health records for ransom – sort of the opposite of the more traditional threat of improper disclosure – is a relatively new risk. It is one, however, that a cyberinsurance can cover.
“Can.” Not necessarily “does.”
Policies have drawn a distinction between cyber extortion and other types of network security breaches. At the most general level, there seems to be little difference. It all starts with unauthorized access. A “ransomware” attack, one form of cyber extortion, is different only with respect to what the hacker does after gaining network access – the hacker encrypts the data and demands payment to “unlock” the records. Up until that payment demand, the event would likely fit within almost any cyberinsurance policy’s definition of a network security claim, or whatever term the policy uses to describe first party coverage for data breach response and remediation.
The ransom demand, however, has led many policies to treat cyber extortion as a unique subset of data breaches and, therefore, a distinct coverage element. CNA’s NetProtect 360 policy, for example, offers “Network Extortion” coverage in addition to more general data breach response and remediation coverage. Lloyds has in some policies also used the term “Cyber Extortion” coverage, and it is often separate from other first party coverage. Travelers’ Cyberrisk policy uses the term “E-Commerce Extortion,” and it is likewise distinct from other breach response and remediation coverage. And so you see a pattern developing here, right? So what?
So, in this era of “a la carte” cyberinsurance policy procurement, it is critical for healthcare institutions to ensure that their policies contain stand-alone cyber extortion coverage or that the broader first party breach response coverage is defined to include ransomware style attacks. In fact, given the profitability of cyber extortion and hackers’ increased use of ransomware and similar malware, this coverage should be viewed as standard by most, if not all, cyberinsurance purchasers.