Some companies without cyber insurance are using kidnap policies, known as K&R coverage, to cover ransomware attacks like the recent WannaCry attack, according to Reuters. K&R policies typically cover ransom payments and crisis response services.
American International Group Inc., Hiscox Ltd. and the Travelers Companies Inc. all reported they have recently received ransomware claims from customers with K&R policies, Reuters reports.
Almost all cyber insurance policies are written in the U.S., but most of the WannaCry attacks affected computers outside the U.S. Insurers warn that K&R is not a suitable replacement for cyber insurance coverage, but experts say the insurance companies should also review their policies to make sure it’s clear whether ransomware attacks are excluded or they may end up covering damage.
As more large-scale cyberattacks occur, companies are looking for ways to protect their assets and insure against potential damage. The global cyber insurance market is expected to grow 131% by 2020, compared to the 2016 market, according to a recent report from the Insurance Information Institute.
The cyber insurance market is growing, but it is really only used in the United States. Though leaning on K&R policies to help with recovery is a clever strategy, it is unlikely insurers will permit it long term.
There are about 60 companies writing cyber insurance policies today. With ransomware and other damaging cyberattacks on the rise, businesses outside the U.S. will either need to find a company that offers cyber insurance or figure out another way to protect themselves as cybercriminals get more savvy.
After all, the cost for a company to respond to cybersecurity incidents is on a steep climb. A recent report from Kaspersky Lab found the average cost of recovery from a single security incident is estimated to be $86,500 for small and medium businesses and $861,000 for enterprises.