Contradictory to earlier claims that they had no intention of paying an extortion fee to restore the country's largest fuel pipeline, Colonial Pipeline has reportedly paid nearly $5 million to Eastern European hackers on Friday, according to two people familiar with the transaction.
Let's look at how having a good cyber insurance policy possibly saved the company from the expenses and woes that ensued from the time Colonial Pipeline discovered the system hack. Sources told Reuters last Thursday that the company had a cyber policy in effect arranged by broker AON, with Lloyd's of London insurers.
With a cyber policy in effect, it is likely the insurer may have stepped in at the onset of the time the company first discovered their system had been breached (hacked), or when the company received a cyber extortion threat, whichever came first. The insurer would have assisted the company in responding to the public and to the extortionists (threat agents).
Any expense incurred as a result of the cyber incident as defined in the applicable policy should be covered. This would include such things as investigative costs for determining the cause, scope and extent of the security breach and to identify affected parties; also, costs for legal fees or other professional advice on responding to the security breach; costs to notify affected parties; overtime salaries necessary for employees handling inquiries as to the security breach; call center costs if hired by the insured for handling inquiries from those parties affected by the security breach; and costs to provide credit and identity theft monitoring to affected parties for at least a year. Other expenses may be covered if approved by the insurer.
Extortion threat expenses might include such things as hiring a security firm or other organization to determine the validity and severity of the extortion threat, including interest costs if the insured had to get a loan to pay a ransom demand; any reward payments if the insured pays an informant if it leads to the arrest and conviction of the threat actors; or any other reasonable fees or costs such as those of independent negotiators or security firms hired by the insured to determine how to protect the system from further threats. Covered extortion expenses should include ransom payments the company has to make in the form of cash or virtual currency, such as Bitcoin.
A cyber policy should also cover replacement or restoration of the electronic data on the computer systems or on computer programs from the cyber incident, as long as it is discovered within the policy period. If such restoration requires reprogramming or consultation services those costs should also be covered by the policy.
Business income and extra expense as a direct result of the covered cyber incident or extortion threat may be covered for the period of restoration as defined in the policy, perhaps subject to a waiting period before coverage begins. The best way to determine if this coverage would be provided is to ask whether the loss or expense is only because of the cyber incident or extortion threat. Expenses to add new employees or costs to upgrade or repair the systems would not be covered unless they were required as a direct result of the cyber incident or threat extortion to keep the company operational.
By the news this past week, it is clear that the company has had public relations expenses. These would include such things as costs of a public relations firm to protect or restore the company's reputation solely in response to negative publicity the company received from the cyber incident. These expenses would be covered under a good cyber policy.
The liability insuring agreements will likely be on a claims-made and discovery basis, covering claims when the insured first discovers and reports the cyber incident within the policy period, or extended reporting period.
With respect to security breach liability, loss and defense expenses should be covered as a result of a regulatory proceeding, with the insurer having the right to select defense counsel and make settlements with the insured's consent. Loss might include such things as compensatory damages, settlement amounts for judgments or settlements; and punitive or exemplary damages if insurable by law. A regulatory proceeding would be one brought by or on behalf of the Federal Trade Commission (FTC), the Federal Communications Commission (FCC), or other regulatory capacity.
Some of the coverages provided may be covered as sub-limits subject to the policy's aggregate limit, such as there may be a separate sub-limit for ransom payments, or business income and extra expense, or public relations expense.
It is common for a deductible to apply, and as with every policy there will be certain exclusions to coverage.
By and large, it's quite reasonable to assume that any amount of premium the company may have had to pay, it would not be near the $5 million ransom payment. We can't say for certain that the company had all of these coverages in effect, but there's no doubt that having cyber insurance was a good move on their part in this situation.