Cyber Insurance paid to pay Ransomeware: Case Study & Case Law

A Canadian insurance company infected by ransomware virus paid off the cybercriminals using its cyber insurance policy. Their British reinsurers, having to disburse 109.25 Bitcoins, wanted it back from the blackmailing cybercriminals.

After infection, the unnamed Canadian company suffered a total lockdown of all of its systems and asked its reinsurance firm to pay the ransom so it could get back on its feet.

Paying off blackmailers holding a company to ransom is never advisable, many a time it is against the local law. Despite a negotiation that made criminals bring down their initial demand of $1.2m to $950k, the decryption tool provided had to be run on each and every affected device on the company's network.

It took five days to decrypt 20 servers and "10 business days" to unlock 1,000 desktop computers.

Neither company was going to pay out and forget the incident. The English reinsurer hired Chainalysis Inc, a "blockchain investigations firm", which eventually pinpointed the people responsible.

In the AA Versus Unknown Persons and Ors. [2019] EWHC 3556 (Comm) Case No: CL-2019-000746

The Unknowns were arraigned as below:

(1) PERSONS UNKNOWN WHO DEMANDED BITCOIN ON 10TH AND 11TH OCTOBER 2019

(2) PERSONS UNKNOWN WHO OWN/CONTROL SPECIFIED BITCOIN

(3) iFINEX trading as BITFINEX

(4) BFXWW INC trading as BITFINEX

IN THE HIGH COURT OF JUSTICE BUSINESS & PROPERTY COURTS OF ENGLAND AND WALES COMMERCIAL COURT (QBD)

Hon. Justice Bryan said: "Whilst some of the Bitcoin was transferred into 'fiat currency' as it is known, a substantial proportion of the Bitcoin, namely, 96 Bitcoins, were transferred to a specified address. In the present instance, the address where the 96 Bitcoins were sent is linked to the exchange known as Bitfinex operated by the third and fourth defendants."

Bitfinex is a cryptocurrency exchange headquartered in the British Virgin Islands, though the court noted that one email address associated with the exchange was seemingly traced to China.

Justice Bryan said: "At the present time there is no evidence that [Bitfinex] are themselves, perpetrators of the wrongdoing, rather, it is said, they have found themselves the holder of someone else's property."

Hon. Justice ruled that Bitfinex probably knew who the two alleged ransom receivers were, saying: "I have no doubt that Bitfinex has the ability to access its records and its KYC [know your customer, finance sector ID rules] material to identify the information that is sought" about the two alleged blackmailers.

A Scottish MSP was caught red-handed promising ransomware decryption services when in reality all they were doing was paying off the cybercriminals and adding a windfall high margin. At least one study has found that less than half of companies paying off ransomware actually get their files back.

Meanwhile, A US federal judge has ruled that an insurer providing a "business owner's insurance policy" to National Ink & Stitch, which sustained a ransomware attack in 2016 and was forced to replace most of its IT infrastructure, must pay for the damages the security incident caused.

In her recent ruling, Judge Stephanie Gallagher of the U.S. District Court of Maryland wrote that the damage to Nation Ink & Stitch's computer infrastructure from a ransomware attack constituted "physical loss or damage" covered by the insurance policy and that the insurer must pay the costs to recover and rebuild the network. National Ink & Stitch is an Owings, Maryland-based embroidery and screen printing firm.

The insurer, Columbus, Ohio-based State Auto Property and Casualty Insurance Co., had denied coverage for the cost of replacing National Ink & Stitch's computer system, arguing that that the company had not experienced "direct physical loss of or damage to" its computer system, the judge noted in the ruling.

The ruling did not set a specific dollar figure, although National Ink & Stitch previously argued for a settlement of $310,000 in recovery costs, according to court documents. National Ink & Stitch and State Auto could be reached for comment.

Advocate (Dr.) Prashant Mali
Cyber & Privacy Expert

Can GDPR Fines be covered under Cyber Insurance in India?

Can GDPR Fines be covered under Cyber Insurance coverage in India?

By Prashant Mali, 
Cyber Law & Privacy Expert.

Cyber policies usually grant cover for civil fines provided that these fines are “insurable at law”.

Where insurance for fines and penalties is available, this is usually as part of an operator’s general liability policy, although, as set out above, there is no general rule and some such policies routinely exclude such cover). In addition, prudent directors of port and terminal operators who are faced with the possibility of personal exposure to civil fines will take steps to ensure that their D&O policy will cover them if they are investigated personally. 

Example Policy Terms

Insurance coverage is available for fines and penalties. A popular form of cyber insurance includes, as an item of covered loss:

[C]ivil fines or penalties imposed by a governmental agency and arising from a Regulatory Action, unless the civil fine or penalty imposed is uninsurable under the law of the jurisdiction imposing such fine or penalty.

Another popular policy form provides coverage for "Penalties," defined as:

[A]ny civil fine or money penalty payable to a governmental entity that was imposed in a Regulatory Proceeding by the Federal Trade Commission, Federal Communications Commission, or any other federal, state, local or foreign governmental entity, in such entity's regulatory or official capacity; the insurability of Penalties shall be in accordance with the law in the applicable venue that most favors coverage for such Penalties.

Based on these definitions (which are typical), several features are prominent:

• The fines or penalties must be "imposed by" a governmental agency.
• The fines or penalties must be insurable under the applicable law.
• The fines or penalties must be paid to a governmental entity or to a consumer redress fund.

While it is not an inbuilt coverage, fines and penalties can be covered under a D&O policy by suitably modifying the definition of loss or in other appropriate manner. Reproduced below is one of the definitions as found in the policy wording.

“Loss also includes civil and administrative fines and penalties, awarded against Insured Persons, to the extent such are insurable by law, and the multiplied portion of multiple damages”

There is no express law in India including Companies Act, 2013 which declares any fine and penalty as uninsurable.

Sec 197 of Companies Act, 2013, reproduced below for brevity

Section 197(13) of Companies Act, 2013:

“(13) Where any insurance is taken by a company on behalf of its managing director, whole-time director, manager, Chief Executive Officer, Chief Financial Officer or Company Secretary for indemnifying any of them against any liability in respect of any negligence, default, misfeasance, breach of duty or breach of trust for which they may be guilty in relation to the company, the premium paid on such insurance shall not be treated as part of the remuneration payable to any such personnel:

Provided that if such person is proved to be guilty, the premium paid on such insurance shall be treated as part of the remuneration.”

Surprising as it seems, there appears to be no section in the Companies Act 2013 which prohibits indemnification of any nature .

It needs to be clearly understood that as in the case of other payments, prior approval of insurance company is a prerequisite for claiming this loss. One of the policy wordings is reproduced below. Provision relating to non-admission of liability is present in all policy forms, while the language may vary from insurer to insurer.

“The Insured shall not admit or assume any liability, enter into any settlement agreement, or consent to any judgment without the prior written consent (which shall not be unreasonably delayed or withheld) of the Insurer. Only liabilities, settlements and judgments resulting from claims defended in accordance with this policy shall be recoverable as a loss under this policy”

It is good for the directors to seek, in their letter of appointment, appropriate and adequate indemnity provisions – indemnity against all losses and expenses incurred by them in relation to the discharge of their duties unless such loss/ expense is caused by their own deliberate and malicious actions. It pays to be explicit and have more inclusive provisions.

Insurability

A looming question in the case of insurance for fines and penalties is whether such items can be insured despite policy language expressly providing for such coverage. As with the insurability of punitive damages, there is no uniform view. However, one can make several general observations:

1. Fines or penalties that are based on intentional or willful conduct are likely to be challenged by the insurer based upon public policy arguments.
2. Fines or penalties that are "punitive" in nature are more likely to be challenged by the insurer than those that are "compensatory" in nature.
3. Penalties that are assessed vicariously against a policyholder (such as when a corporation is held liable for an unauthorized act of its employee) are less likely to be challenged.

Case law exists under a variety of statutes, and in a variety of state and federal jurisdictions, that assesses whether particular fines or penalties are punitive or compensatory, or are insurable. Cyber policies address insurability through choice of law and choice of venue. As can be seen from the example language quoted above, there are two basic approaches:

1. One version permits coverage except to the extent that the law of the jurisdiction imposing the penalty forbids such coverage;
2. The other version permits coverage so long as the most favorable applicable venue permits such coverage.

Under conventional choice of law procedures, an "applicable venue" is likely to be one that has some sort of relationship to the parties or to the underlying facts. A standard provision for punitive damages directs that the applicable law is

"the law of the jurisdiction most favorable to the insurability of such [punitive] damages, provided such jurisdiction has a substantial relationship to the relevant Insured, to the Company, or to the Claim giving rise to the damages."

This type of formulation appears to provide more flexibility for coverage of such penalties than one in which the penalty-imposing jurisdiction is selected.

International variation

Internationally the position is likely to be similar, albeit with some noteworthy differences, in other jurisdictions. For example, it is common in Australia for cover to be provided in respect of civil fines and some insurers have extended liability insurance to include criminal fines imposed in circumstances other than where the insured has behaved in a reckless manner (or worse). Whether or not such policies are legally enforceable remains a hotly contested issue, but despite the difference in approach from the English position, the underlying public policy issues are the same.

In the US, a number of products are available which provide cover in respect of investigations under the Foreign Corrupt Practices Act, although in keeping with the policy considerations described throughout this article, cover is limited to the costs of such an investigation and coverage for any fines or penalties is specifically excluded.

In UK the leading case law under on whether regulatory fines are “insurable at law” is decision of the Court of Appeal in Safeway Stores Ltd v Twigger [2010] EWCA Civ 1472. In this case, pursuant the Competition Act 1998, the Office of Fair Trading issued a regulatory fine against Safeway.  As a result, Safeway sued its own directors in order to claim under their D&O policy.

The First Instance Judge, Flaux J, noted that:

“…the real target of the present claim is not the assets of the individual defendants, many of whom are of modest means, but the directors’ and officers’ liability insurance available to the defendants…”

Flaux J, after reviewing the previous authorities, held that the “illegality defence” applied to the regulatory fine relating to the breach of the Competition Act 1998.  The breach was held to be sufficiently serious and “morally reprehensible”, even where it had been committed without intention.

Although potential exposure to fines and penalties is an important risk management consideration for port and terminal operators, it appears that the extent to which insurance for liabilities of this nature can be obtained is limited, at least in England and Wales. It is clear that as a matter of English law, criminal fines and penalties cannot be insured for public policy reasons and, although there is no law in this area, similar considerations are likely to apply in the case of civil fines, so that these will only be insurable where the conduct in respect of which they are incurred does not involve deliberate wrongdoing.

The ex turpi causa maxim means that even where such cover can be obtained, an insured will be precluded from making a claim if the conduct to which the fine or penalty attaches involved intentional or negligent conduct.

Conclusions

Legally: While many insurance policies provide cover so far as insurable by law the reality is that GDPR fines themselves will likely not fall for cover. There may be cover for the costs associated with complying with, defending or appealing investigations from the ICO. And insurers may, of course, elect to pay out an amount in respect of the fine (potentially leading to issues in respect of reinsurance recovery). Note, also, that Bermuda legislation does not prohibit passing on liability for fines and may therefore provide some excess options worth considering.

Commercially: Regardless of any debates around the legal position in coverage of fines, the commercial reality is that the value of cyber cover comes in the knowledge and expertise that can be provided by the insurer, particularly in terms of responding to a data security breach. Cyber policies will generally cover systems failure, data restoration, as well as third party claims for damages for lost data or breaches of security and privacy and may also cover amounts paid in response to cyber extortion. Crucially, they will usually also provide access to necessary and pre-approved vendors and a package of cover that includes: 

• pre-breach offerings; 
• disaster recovery costs; 
• communication and notification costs; 
• paying for forensic investigations to determine the cause of the breach; 
• legal advice; 
• engaging experts to manage public relations and protect the company's reputation; 
• lost income and payroll as a result of a breach; and 
• credit monitoring for customers.

Of course, insurance can be no substitute for robust data protection policies - and the potential to be on the wrong end of a GDPR penalty makes it all the more important for companies to invest in such policies and procedures. However, in today's climate of increased cybercrime, it is vital for businesses to arrange cyber-cover and to partner with insurers in order to assess its exposures and be in a position to respond swiftly and effectively as and when a security breach occurs. Just don't have an unrealistic expectation that it will provide indemnification in respect of any GDPR fines.