Companies use kidnap insurance to guard against ransomware attacks
By Suzanne Barlyn and Carolyn Cohn
NEW YORK/LONDON (Reuters) - Companies without cyber insurance are dusting off policies covering kidnap, ransom and extortion in the world's political hotspots to recoup losses caused by ransomware viruses such as "WannaCry", insurers say.
Cyber insurance can be expensive to buy and is not widely used outside the United States, with one insurer previously describing the cost as $100,000 for $10 million in data breach insurance.
Some companies do not even consider it because they do not think they are targets.
The kidnap policies, known as K&R coverage, are typically used by multinational companies looking to protect their staff in areas where violence related to oil and mining operations is common, such as parts of Africa and Latin America.
Companies could also tap them to cover losses following the WannaCry attack, which used malicious software, known as ransomware, to lock up more than 200,000 computers in more than 150 countries, and demand payments to free them up.
Pay-outs on K&R for ransomware attacks may be lower and the policies less suitable than those offered by traditional cyber insurance, insurers say.
"There will be some creative forensic lawyers who will be looking at policies," said Patrick Gage, chief underwriting officer at CNA Hardy, a specialist commercial insurer, in London.
He added, however, that given that K&R policies are geared towards a threat to lives, "our absolute preference is that people buy specific cover, rather than relying on insurance coverage that is not specific". Continued...