Coverage for Malware Attacks – Crytpojacking and Ransomware

By David A. Gauntlett*

Cyber-attacks are a serious threat to all businesses and anyone who uses the internet or computer systems. In 2019, cyber-scams increased over 69% with reported losses of more than $4 billion in 2020.[1] Cyber-attacks using malware to steal cryptocurrency are on the rise. David Huberti explains, in the Wall Street Journal, how investors in cryptocurrency are being hacked and hijacked by cybercriminals via trading applications resulting in complete loss of their investments and funds.[2]

It is a common misconception that cyber-attacks prey on those ignorant to cyber operations; however, that is not the case. Anyone can fall prey to the manipulation of cybercrimes because they target the natural tendencies of human behaviors such as taking shortcuts[3] and using quick judgment.[4] Knowing these natural human behaviors, cybercriminals have manipulated human behavior to allow successful cyber-attacks. Securing proper cyber insurance policies that cover these kinds of attacks cyber-attacks requires careful pursuit of cyber insurance policies in an increasingly resisting market. This is the time to locate specialists in cyber insurance coverage and employ their networks.

Problematic Endorsements in Cyber Policies for “Cryptojacking”

Cyber insurance is still a recent addition to the policy market and is constantly evolving as new threats arise. This recent present threat in cyber-attacks via cryptocurrency reveal deficiencies in many cyber insurance policies. While many policies do not expressly address cryptocurrency hijacking, some policies present sublimits expressly for “crytpojacking.”

“Cryptojacking” can be covered within a cyber-policy for:

1.     The aggregate sublimit applicable to all loss under this endorsement is USD $100,000.

2.     The Retention applicable to each incident, event, or related incidents or events, giving rise to an obligation to pay loss under this endorsement shall be USD $25,000.

3.     INSURING AGREEMENTS is amended to include:

Cryptojacking

To indemnify the Insured Organization for any direct financial loss sustained resulting from Cryptojacking that the Insured first discovers during the Policy Period.

4.     DEFINITIONS is amended to include:

Cryptojacking means the Unauthorized Access or Use of Computer Systems to mine for Digital Currency that directly results in additional costs incurred by the Insured Organization for electricity, natural gas, oil, or internet (the “Utilities”)…[5]

This sub-limited policy endorsement raises a number of issues.

First, under the definition of “cryptojacking”, this endorsement coverage is contingent on the “direct losses result[ing] in additional costs incurred…for electricity, natural gas, oil, or internet”. Cryptojacking can require a lot of electricity to operate so additional costs in electric bills can be indicative of a crytpojacking attack.[6]

In many cases, however, crytpojacking through data networks can be undetectable in cases for larger systems or mobile networks and only slowdown the computing power of the network which, more than not, does not result in additional costs in one’s “utilities”. For example, the situation discussed by David Uberti regarding the individual cryptojacking, the hijacking did not involve direct losses in the form of “utilities.” The individual was hacked and hijacked via her phone number and her phone applications.[7] Under this definition, policyholder’s may fall within this coverage gap as hackers evolve their tactics.

Second, this policy endorsement is restricted to a $100,000 sublimit. Such a minimal limit fails to address typical costs business incur. When securing a cyber-policy, policyholders should seek high limits for such coverage. While well beyond the scope of any insurable risk, DeFit Network recently loss more than $600 million resulting from cryptojacking.[8]

The Growing Expense and Risk of Ransomware

Closely related to cyberjacking, ransomware also addresses a breach in network security through viruses or other malware to infect a computer system. Even more dangerous is the manner in which malware can manipulate computer functionality. Compared to cyberjacking, ransomware is less profitable, but nonetheless is a major threat to online operations and is easier to perform. Ransomware attacks extort monies from business that can be in forms of cryptocurrency which can make attacks more difficult to track.

Insurers often deny coverage to claims results from ransomware attacks especially where numerous claims can be involved such as system damages, reputation loss, business interruption, data breach and loss, as well as cyber extortion loss.[9]

For example, a Connecticut district court, in New England Sys. v Citizens Ins. Co. of Am.[10], determined that in denying coverage to New England for business interruption claims after a ransomware attack, Citizens engaged in bad faith under the policy provision “Cyber Business Interruption and Extra Expense”. The court reasoned that “Citizens intentionally misrepresented pertinent policy provisions when it allowed NSI to undertake self-repair work without disclosing that Citizens knew it would consider NSI ineligible for business-interruption coverage if it performed such work…[and] engaged in no investigation of its claims whatsoever.”[11]

Insurers have, also, attempted to deny coverage to claims resulting from ransomware attacks by applying the “war and terrorism” exclusion contending that ransomware attacks are forms of cyber terrorism that fall within the scope of this exclusion.[12] For example, in the ongoing case, Merck & Co., Inc. v. Ace Am. Ins. Co.[13], a New Jersey court is analyzing Ace’s denial of coverage for Merck & Co.’s claims resulting from the NotPetya ransomware attack in 2017. Ace contended that Merck &Co.’s claims fall within the scope of the policy’s war-risk exclusionary clause[14] and relied on a broad definition of “terrorism” and terms related to terrorism to deny coverage.[15] Contrarily, Merck asserts that its “allrisk policy” covers all risks to property damage “including destruction, distortion, or corruption of computer data, coding, program, or software.”[16] The terms of “act of war” in the war-risk exclusion as applied to cyber-attacks are ambiguous and applying it to the NotPetya event would disappoint the reasonable expectations of Merck.[17]

Conclusion

Cyber policies can be critical for costs necessary to investigate cryptojacking attacks and repair system damages resulting after the attack. Unlike cyberjacking where businesses can function unaware of the cyber breach, ransomware attacks hold a business’ data and system hostage forcing business owners to pay the ransom or lose their data and capacity to operate. [18]  This aspect of ransomware attacks can create gaps in policy coverage where businesses “voluntarily” pay ransom in order to rescue their data and computer system[19] or pay without the consent of the insurer.[20]

If you enjoy this content, you can find my full list of blogs here: https://docs.google.com/document/d/1N3YsMmn0Ii1GqHWSBEE1pPzh1jQbU6htkJZ2e55Y2eM/edit?usp=sharing

* David A. Gauntlett is a principal of Gauntlett & Associates. For more information, visit Gauntlett & Associates at www.gauntlettlaw.com. 

[1] Heidi Mitchell, The Biggest Cybersecurity Risk: Our Brains. The Wall Street Journal (Sept. 9, 2021).

[2] David Uberti, Hackers Circle as Individual Investors pour Cash into Crypto. The Wall Street Journal (Nov. 21, 2021)

[3] Heidi Mitchell, That Great Job Offer? It May be a Scam. The Wall Street Journal. (Sept. 9, 2021)

[4] Daniel Kahneman (2013). Thinking Fast and Slow. Farrar, Strat and Giroux (New York)

[5] Beazley Group, Cryptojacking Endorsement. Form No. E12968 (2019)

[6] Michal Nadeau, Cryptojacking Explained: How to Prevent, Detect, and Recover from It. CSOonline (May 6, 2021)

[7] Supra, Hackers Circle as Individual Investors pour Cash into Crypto (2021)

[8] Anna Hirtenstein, Crypto Hackers Stole More Than $600 Million from DeFi Network, Then Gave Some of It Back. The Wall Street Journal (Aug. 11, 2021)

[9] See, National Ink & Stitch, LLC v. State Auto Prop. & Cas. Ins. Co., 435 F. Supp. 3d 679, 684-685 (Dist. Ma. 2020) (“[A]lthough the intended use of the software might sever it from the tangible form in which it was originally transmitted…Maryland courts would find physical damage to Plaintiff's computer software, despite its installation on Plaintiff's computer system, because the software was rendered entirely unusable by the ransomware attack.”)

[10] New England Sys. v Citizens Ins. Co. of Am., 2021 U.S. Dist. LEXIS 93601 (Dist. Conn. May 17, 2021)

[11] Id. at *11

[12] See, also Mondelēz Int’l, Inc. v. Zurich Am. Ins. Co., No. 2018-L-011008 (Ill. Cir. Ct. Oct. 10, 2018).

[13] Merck & Co., Inc. v. Ace Am. Ins. Co., No. UNN-L-002682-18 (N.J. Super. Ct. Law Div. Aug. 2, 2018)

[14] Id. at 13 (“This Policy does not insure the following: A. 1. Loss or damage caused by hostile or warlike action in time of peace or war, including action in hindering, combating, or defending against an actual, impending or expected attack: (a) by any government or sovereign power (de jure or de facto) or by any authority maintaining or using military, naval, or air forces; (b) or by military, naval, or air forces; (c) or by an agent of such government, power, authority, or forces…”)

[15] Id. at 14

[16] Id. at 34

[17] Angad Chopra, Cyberattack – Intangible Damages in a Virtual World: Property Insurance Companies Declare War on Cyber-Attack Insurance Claims. 82 Ohio St. L.J. 121, *150-151 (2021)

[18] Crawford, To Pay or Not to Pay, That is the Ransomware Question. Crawford Blog (June 14, 2021)

[19] See, G&G Oil Co. of Ind. v. Cont’l W. Ins. Co., 165 N.E.3d 82, 90-91 (2021) (“Though certainly G&G Oil's transfer was voluntary, it was made only after consulting with the FBI and other computer tech services…These payments were ‘voluntary’ only in the sense G&G Oil consciously made the payment. To us, however, the payment more closely resembled one made under duress. Under those circumstances, the ‘voluntary’ payment was not so remote that it broke the causal chain.”)

[20] Beazley Group, Beazley Breach Response. Form No. F00653 112017 ed. (Cyber Extortion Loss means:1. any Extortion Payment that has been made by or on behalf of the Insured Organization with the Underwriters’ prior written consent to prevent or terminate an Extortion Threat; and 2. reasonable and necessary expenses incurred by the Insured Organization with the Underwriters’ prior written consent to prevent or respond to an Extortion Threat.)