Contents


    Executive Summary

    Ransomware is a type of malicious software that is covertly installed on a computer without the computer user’s knowledge. It blocks access to the now-infected computer system by locking the system’s screen or locking the user’s files until a ransom is paid.

    Insurance coverage for cyber extortion depends on a company’s cyber coverage. In some cases, defense and indemnity costs for cyber extortion can be included in cyber insurance forms.

    Background

    Ransomware has been an existing threat to cybersecurity since the 1990s. PC Cyborg, the original ransomware, was spread by the mailing of infected floppy disks in 1991 by an AIDS researcher-biologist. “Archiveus,” active in the mid ‘00s, was ransomware that used encryption. In the early 2010s, fake electronically sent warnings made to look like they were from law enforcement demanded that “fines” be paid for the alleged “illicit activities” of the recipient, and exploited newly-developed anonymous payment services. Some in the industry believe that certain forms of ransomware originated in Russia between 2005 and 2006, then spread across Europe, with ransomware infections occurring essentially continuously across Europe and North America by 2012.

    Modern ransomware takes many forms. When users unknowingly visit compromised websites, ransomware can be downloaded. Ransomware can also infiltrate technology in other ways: opening attachments from spam emails, downloading materials from malicious pages, or opening online advertisements infected with viruses (commonly known as ‘malvertisements’). Cloud space ransomware travels from the user’s computer to cloud-storage systems like Dropbox and compromises files stored in the cloud. Targeted ransomware is focused on high-profile targets that are likely to pay higher ransoms because they have more to lose.

    Some of the biggest recent ransomware attacks include:

    • Change Healthcare - (2024) A critical error by Change Healthcare failing to turn on its Multifactor Authorization System resulted in the largest healthcare cyberattack in U.S. history, with the ALPHV/BlackCat ransomware group gaining access to sensitive patient care and encrypting and affecting healthcare information of up to 192 million people nationwide.
    • MGM - (2023) Hackers utilized a phishing technique to infiltrate MGM’s systems and damage guest information, resulting in $100 million in damages.
    • Salt Typhoon - (2024) Salt Typhoon, a hacking group, targeted several major U.S. telecommunication providers such as Verizon and AT&T, gaining access to text and call metadata and comprising
    • Marks and Spencer - (2025) Marks and Spencer, a British retailer, was the victim of a cyberattack that exposed sensitive customer information and payment details, affecting over 16.9 million customers and resulting in $27M in costs to the retailer.

    It is virtually impossible to trace ransomware attacks back to the cybercriminal’s server. Ransom payments are usually made in online currencies like Bitcoin, which are also untraceable. In most cases, it is near impossible to break the encryption code, so most organizations prefer to pay the ransom rather than spend years attempting – perhaps without success – to retrieve their information. The size of ransom demands varies depending on the ransomware type and the price or exchange rates of the digital currencies used, but overall losses are high.

    While ransomware detection and repair techniques are becoming more effective, ransomware developers are also making ransomware harder to find and encrypted files harder to recover. Newer ransomware is focused on making the spread of attacks less predictable.

    Injuries and Damages

    Ransomware functions like a kidnapping. Injuries can include violation of state and federal laws, property damage, business interruption, reputational damage, emotional distress and more. Ransomware can attack individuals as well as entities. For less sophisticated attacks, such as e-mail attachments that are viruses and ‘malvertisements,’ the targets are more likely to be individuals. The more complex attacks tend to be against healthcare companies and other entities that hold private information. By 2021, ransomware damages are expected to reach $8 billion, which is almost 60 times more than it cost in 2015. By 2025, ransomware damages are expected to reach $57 billion, which is almost 7 times more than it cost in 2021.

    Legislation and Regulation

    Ransomware attacks are subject to the same laws and regulations as data breaches.

    As of January 2022, all fifty states, the District of Columbia and several U.S. protectorates have enacted legislation “requiring private, governmental or educational entities to notify individuals of security breaches of information involving personally identifiable information”.

    MMost of these laws include provisions that outline which entities must comply with the law, how to define “personal information”, how a data breach is defined and the requirements for notice when a breach occurs. However, while no broad federal law currently exists to directly address data breach issues, several US laws exist that regulate data breach notification within specific industries. An example includes the HIPAA breach notification rule, which requires organizations that are covered by HIPAA to provide notification after a data breach of health-related information.

    National Association of Insurance Commissioners (NAIC) Insurance Data Security Model Law

    The NAIC Insurance Data Security Model Law was developed to respond to the increased levels of data breaches among several industries. Based on the model, insurers and companies that are licensed by the department of insurance are required to create and maintain “an information security program, investigate any cybersecurity events and notify the state insurance commissioner of such events.” THE NAIC and the federal government has urged all states to adopt the model law. Currently, 8 states (AL, CT, DE, MI, MS, NH, OH and SC) have adopted the model law.

    Liability and Insurance

    Experts point out that all companies are potential targets for ransomware. An attack can result in customer and investor lawsuits for disclosing confidential data, loss of proprietary information and business interruption. Some of the risk can be offset by insurance coverage. Commercial general liability insurance policies, fidelity insurance policies and cyber insurance policies may provide some protection. After a ransomware attack, cyber insurance could cover legal advice and computer analysts. Stand-alone ransomware insurance products are being marketed by some insurance companies who are likely to impose an intensive application process that examines company data practices, employee training programs and company investments in cybersecurity technology.

    To receive the benefits of coverage, the insured must cooperate with the insurer, including, for example, by not disclosing to any entity that there is cyber extortion coverage, obtaining the consent of the insurer before making any extortion payment, using expert incident response services and coordinating with authorities.

    Litigation

    Although litigation against ransomware groups or individual hackers can be difficult due to the anonymous nature of the attack, new litigation has developed recently targeting both businesses who have been the subject of the attacks and individual hackers.

    Emoi Servs., L.L.C. v. Owners Ins. Co. (2022)

    Emoi Servs. L.L.C. was a software company who experienced a ransomware attack on September 12, 2019 after a hacker demanded a ransom of 3 bitcoins for a decryption key to access lost files. Emoi filed an insurance claim under their insurance policy with Owners Insurance Co., but the court concluded that the attack didn’t result in “direct physical loss or damage to covered media, and therefore, the policy did not cover EMOI's losses.”.

    Woodall v. Octapharma Plasma, Inc. (2024)

    Octapharma, a company which operates more than 190 blood plasma donation centers, was the subject of a massive cyberattack that exposed sensitive personal information including Social Security numbers and financial data. They recently agreed to a $2.55M Settlement after being sued for various torts including negligence and a breach of their fiduciary duty for not having the appropriate monitoring and security systems to prevent such an attack.

    National Ink and Stitch, LLC v. State Auto Property and Casualty Insurance Co. (2020)

    National Ink sued their insurer, Casualty Insurance, after being the victim of a ransomware attack and attempting to receive coverage from their general insurance policy. The court held that damage to a computer data/software system was considered “direct physical loss or damage to property” because loss of some functionality should have still been covered.

    Surfside Non-Surgical Orthopedics v. Allscripts Healthcare Solutions, Inc. (2018)

    In 2018, Allscripts, a Florida company that sold e-prescribing services to medical providers, was sued for a ransomware attack that prevented 1,500 clients from accessing their client information. The plaintiffs (Surfside) in the class action complaint accused Allscripts of being “wanton, willful, and reckless” with respect to protection deficiencies. Plaintiffs also argued that SamSam, the ransomware that was employed against Allscripts, had been a well-known threat for about two years before the suit was filed, and that Allscripts did not adequately protect against such threats. The Court dismissed Surfside’s claim for lack of standing to sue.

    Future Outlook

    Unfortunately, experts predict that the worst is yet to come, stating that ransomware will move beyond the purely financial and turn personal, with attackers focusing on big-data leaks and utilizing new AI-orchestrated technology. Although companies are able to restore data through new technology, the publication of that data is at an all-time high. The FBI’s 2024 report stated that 3156 ransomware complaints were received that year (a 11.7% annual increase). Additionally, the surge in highly organized ransomware groups could result in a decentralization of ransomware attacks, making the potential consequences more serious and the insurance industry’s involvement in developing and marketing cyber security insurance products more crucial. In particular, the last few years saw a surge in Codefinger, a new ransomware scheme which made it nearly impossible to recover leaked information without the payment of some ransom. As the threats continue to evolve, the potential consequences become more serious and the insurance industry’s involvement in developing and marketing cyber security insurance products becomes ever more crucial.

    By far and away the most well rounded and useful Cat-focused industry conference out there. Perfect for all levels within the industry. From the conference content, the presenters and the attendees, this conference is a can’t miss for those interested in expanding their knowledge and learning more about cat related insurance and reinsurance modeling topics Nick DiMuzio, Everest

    "Fantastic, enriching conference - brilliantly planned and run, illuminating talks and excellent opportunities for networking across multiple areas of catastrophic risk.” Gary Ackerman, University at Albany

    “From a treaty underwriter's point of view, RAA presented relevant topics related to today's macro events. Scientific presentations provided insight that I can incorporate in underwriting and share with my clients.” Eric B. Silberman, Munich Re

    "Great conference with some of the biggest names in the business presenting their work. What more could you ask for?” Ron Nash, Nash Consulting

    “A perfect introduction to the world of reinsurance. Relevant topics, great speakers and the opportunity to network with industry peers makes this a must go event.”
    Tom Barrett, Everest Re

    Demystifying Reinsurance was an excellent tool to clearly understand and break down the basics. Very good class and recommend it for beginners and even as a refresher course for the intermediate student.”
    Chenessia West, TransRe

    “Re Basics is the ideal opportunity whether an industry professional or student of insurance to understand the in and outs of reinsurance while being able to network with persons spread across the whole industry.”
    Darius Zuill, Bermuda Monetary Authority

    “This has been the best reinsurance seminar that I have been to! Whether a reinsurance seasoned vet or new to the field, this is an engaging seminar that addressed specific issues of the reinsurance market.”
    Michelle Thimm, Church Mutual Insurance 

    “Re Underwriting provided a comprehensive and interesting overview of underwriting in the current market with a major (and interesting) focus on trends. Very useful for underwriting and non-underwriting alike.”
    DeVika Bourne, PartnerRe

    “Very informative experience, and a great way to keep up to date on current underwriting events and trends.”
    Steven Whalen, Aspen Re

    “Time well spent in learning the updated underwriting business and networking!”
    Christine Chen,  Everest Re 

    “The panels and presentations were thought provoking and fascinating as numerous topics were covered affecting the industry. I’m leaving the conference with a greater insight of the future market.”
    Brittany de Frias, AXIS Capital 

     

    “RAA Re Finance was the first RAA seminar I attended, and I was thoroughly impressed with the speakers and content. I learned a great deal from the presentations and intend to bring some new ideas back to my company and share with the team!”
    Taylor Robinson, ICW Group

    “Fantastic slate of instructors who thoughtfully walked us through financial reporting and other aspects of reinsurance finance. They used terminology that non finance people (lawyers) could understand. Really great program.”
    Steven Bazil, The Bazil Group

    “If you are in Reinsurance Accounting/Finance, you need to take this course to help you with your job.”
    Frank Borawski, Markel  

    “The speakers were excellent! There is something to be said about a person, and in this case a group of people, who can take time away from their busy schedules and explain to everyone something they feel passionate about in a manner that's understandable. My only complaint is that I wish we had more time with them.”
    Jessica Mieles, Sompo International

    “The RAA ReContracts is the most comprehensive reinsurance contract wording training available in the U.S. market.”
    David Kragseth, Guy Carpenter   

    “The course was very helpful in addressing different viewpoints and important things to consider in contract design and review.”
    Andy Martin, AmericanAg 

    “The RAA contract course was very informative and interesting. It covered a wide range of Reinsurance Contracts Types. In my Reinsurance Career, I have had the opportunity to work on a limited type of contracts, so I learned a lot.”
    Vivian Castro, Arch Insurance Company 

    “The RAA Contracts course provides the opportunity to engage with relevant topics, taught by industry experts, in both seminar and small group environments. The course material and industry experts provide an understanding on a wide range of subjects.” 
    Kevin English, LMRe

    “Participation in Re Claims should be mandatory for all P&C reinsurance underwriters. It’s truly an eye-opener, providing an in-depth look from a claims manager’s perspective on what happens to the business that we underwrite. There are lots of do’s and don’ts to pay attention to. Re Claims answers all the hard questions."  Michael Delacruz, China Re P&C

    “I absolutely love this program. I learned so many new things. Reinsurance from the industry’s top executives, interactive activities, interesting panels, and innovating presentations makes for an intriguing few days. Well worth the time and money.” Chenessia West, TransRe

    “As a reinsurance attorney I find Re Claims highly valuable to stay abreast of emerging issues. Also, being walked through practical case studies is extremely helpful in creating a thorough understanding of how contracts work.” Steven Bazil, The Bazil Group

    Become a Re Scholar!

    The Re Ed Institute's Re Scholar Program seeks to recognize those who achieve a high standard of reinsurance education by completing the Re Scholar curriculum. Learn More.


    Become a Re Ed Sponsor

    The RAA’s Reinsurance Education Institute programs attract professionals from the world’s leading insurance/reinsurance companies, brokers, law firms and consulting firms. Interested in sponsoring? Contact Carolyn Fahey.