NMP - April 2017 - 31

Don't Let Cyber Extortion Lock the Doors
to Your Mortgage Business
By Dean L. Milber, JD, MA

F

It is not surprising that many of
the questions raised by your peers
about cyber insurance turned to
ransomware coverage since
Beazley, a leading cyber insurer,
reported in its October 2016 Beazley
Breach Insights that it responded to
more cyber extortion attacks in July
and August of 2016 than in all of
2015. When using the term
"ransomware," I am referring to a
form of cyber kidnapping where a

computer virus prevents users from
accessing files on their computer,
and threatens permanent encryption
or deletion of that data if a ransom is
not paid. The perpetrator typically
makes a "nuisance" value demand
so the ransomed party concludes
the only practical is to pay to get the
data restored. The Beazley Breach
Insights report cited above
references the average demand as
$1,000, although Quartz Media
reported in a Feb. 11, 2017 online
article of higher profile ransoms in
2016 ranging from $17,000 to
$73,000.
Even a "nuisance" ransom
payment could be financially
crippling to a mortgage
professional, and the availability of
extortion insurance is something
that should be explored as part of a
business' insurance portfolio. Such
extortion coverage, however,
comes with its own issues that
need to be considered when
looking to purchase cyber liability
insurance. To begin with, the
amount of extortion coverage
available is usually a sub-limit of the
cyber policy or, in other words, the
amount available to respond to a
ransomware claim is less than the
entire cyber policy limit of liability.
Moreover, as mentioned above,
the ransom demand is typically an
amount designed to lead to a quick
payment. This is important for two
reasons. First, an insurer could
require a mortgage professional to
provide notice of an extortion claim
within a certain time frame,
sometimes as long as 30 days, and
more often than not well after the
payment is due. Therefore, paying
the ransom before notifying the
insurance company could
jeopardize the availability of
insurance coverage. Second, the
ransom demand could fall within
the policy deductible that a
mortgage professional is required
to pay before an insurer is obligated
to make any payment. Thus, any
extortion coverage should have a
limit that a professional determines
to meet his or her industry needs,
and the deductible should be at an
amount that a professional insured
could afford to pay. Note that I

have seen extortion coverages that
have a lower deductible than the
regular policy deductible, and this
is something that could be
explored as well.
Finally, many cyber extortion
coverages contain additional and
unique conditions to coverage and,
if not met, could vitiate an insurer's
obligation to pay. For example, a
policyholder may need to satisfy
the notice requirement discussed
above together with a
demonstration of an effort not to
pay or at least negotiate the
demand. In connection with the
latter, I would certainly recommend
coordinating such efforts with the
insurer since such negotiation
could lead to other damages under
other portions of the cyber policy
(i.e., data recovery costs)
complying with this "negotiation"
insurance condition. Additionally,
insurers could require the extortion
threat to be "credible," and finally,
insurers often reserve the right to
cancel the cyber extortion
coverage or deny a claim if the
perpetrator learns of the availability
of such insurance coverage.
The proliferation of ransomware
as a relatively simple, quick
criminal scheme with difficulty
tracking the usual forms of digital
payment (i.e., Bitcoin) will likely
continue impacting professions
that control sensitive client
information, including mortgage
professionals. The availability of
insurance to assist in combating
this trend should not be
overlooked, and a mortgage
professional can evaluate the
different policies that are presently
available to customize coverage
that is most suitable to their
business needs. As with other
forms of insurance, the issuance
and cost of a cyber policy will vary
based on the risk involved, and
reliance on insurance is only part
of the equation. To increase the
availability and minimize the cost
of cyber insurance, it is certainly
recommended that this go hand in
hand with other cyber risk
management tools such as data
backup, authentication safeguards,
and employee training.

Dean L. Milber, JD, MA is director of Claims and Business
Development for CalSurance/Lancer Claims Services, a
Division of Brown & Brown Program Insurance Services Inc.
He may be reached by phone at (714) 939-7380 or e-mail
DMilber@LancerClaims.com.

31

n National Mortgage Professional Magazine n APRIL 2017

insurance business, offering
different coverages with varying
conditions to and exclusions from
coverage.
Generally speaking, most
insurers offer some form of first
party coverage (for losses an
insured sustains) and third-party
liability coverage (for damages that
an insured is accused of being
responsible for by another). These
forms of cyber coverage are
broken down even further,
depending what is being offered by
a particular insurer usually with
different limits of liability for
specific coverage. These
coverages include:
l Media liability, such as breach
of copyright on a Web site and
defamation. This is the type of
claim that could be covered
under the advertising part of a
CGL mentioned above.
l Security and privacy liability for
damages alleged by thirdparties including employees
and customers in the event of
a data breach. Third-party
claims by employees may be
subject to a policy exclusion.
l Extortion for incidents such as
ransomware attacks and the
payment of monies for the
return of data.
l Crisis management services
and costs after an actual or
suspected data breach, and
could include customer
notification costs, computer
forensics, credit monitoring
expenses and public relations
services.
l Data recovery to restore or
recreate lost or damaged data,
as well as business
interruption/loss of business
income.
l Regulatory defense expenses
for an investigation by a
regulatory agency with many
policies covering compliance
costs, fines and penalties.

NationalMortgageProfessional.com

or those who were
fortunate enough to
attend NAMB East in
Atlanta, I hope you
were able to listen to
the "Cybersecurity
and Your Business" presentation
by United States Secret Service
Agent Alan Davis. Many who did
found their way to me the next day
as part of the NAMB+ Endorsed
Professional Liability (E&O)
Program for NAMB Members
asking about cyber liability
insurance policies in general and
ransomware claims in particular. I
thought it would be useful to share
with you the issues raised by your
fellow mortgage professionals.
To begin with, I was asked quite
a bit about whether a business or
office liability policy will protect a
mortgage professional from a
cyber liability attack. While I have
seen a few court decisions finding
that a commercial general liability
(CGL) insurance policy provides
some coverage in the event of a
cyber claim, usually under Liability
Part B, Advertising Injury
Coverage, this is the exception
rather than the rule and the
coverage that is found would only
cover some of the damage under
any circumstance (if at all). That
being said, some general liability
policies and professional liability
policies like the NAMB+ endorsed
E&O policy does allow for the
purchase of an endorsement
adding some form of cyber liability
coverage. The question then
becomes what type of cyber
insurance coverage could be
added to an existing general
liability or professional liability
policy or, for that matter, provided
by way of a separate, stand-alone
cyber liability insurance policy.
If you are involved in the
purchase of insurance for your
business, you have likely seen
cyber insurance evolve 20 years
ago or so from being marketed to
technology companies that bought
errors and omissions insurance and
to professionals handling sensitive
client information like yourselves.
As a relatively new form of
insurance, it should not be
surprising that there is no standard
cyber policy form like is often found
with your homeowners and
automobile policies. The insurance
marketplace is flooded with carriers
jumping in and out of the cyber


http://www.NationalMortgageProfessional.com

Table of Contents for the Digital Edition of NMP - April 2017

Contents
NMP - April 2017 - Cover1
NMP - April 2017 - Cover2
NMP - April 2017 - 1
NMP - April 2017 - Contents
NMP - April 2017 - 3
NMP - April 2017 - 4
NMP - April 2017 - 5
NMP - April 2017 - 6
NMP - April 2017 - 7
NMP - April 2017 - 8
NMP - April 2017 - 9
NMP - April 2017 - 10
NMP - April 2017 - 11
NMP - April 2017 - 12
NMP - April 2017 - 13
NMP - April 2017 - 14
NMP - April 2017 - 15
NMP - April 2017 - 16
NMP - April 2017 - 17
NMP - April 2017 - 18
NMP - April 2017 - 19
NMP - April 2017 - 20
NMP - April 2017 - 21
NMP - April 2017 - 22
NMP - April 2017 - 23
NMP - April 2017 - 24
NMP - April 2017 - 25
NMP - April 2017 - 26
NMP - April 2017 - 27
NMP - April 2017 - 28
NMP - April 2017 - 29
NMP - April 2017 - 30
NMP - April 2017 - 31
NMP - April 2017 - 32
NMP - April 2017 - 33
NMP - April 2017 - 34
NMP - April 2017 - 35
NMP - April 2017 - 36
NMP - April 2017 - 37
NMP - April 2017 - 38
NMP - April 2017 - 39
NMP - April 2017 - 40
NMP - April 2017 - 41
NMP - April 2017 - 42
NMP - April 2017 - 43
NMP - April 2017 - 44
NMP - April 2017 - 45
NMP - April 2017 - 46
NMP - April 2017 - 47
NMP - April 2017 - 48
NMP - April 2017 - 49
NMP - April 2017 - 50
NMP - April 2017 - 51
NMP - April 2017 - 52
NMP - April 2017 - 53
NMP - April 2017 - 54
NMP - April 2017 - 55
NMP - April 2017 - 56
NMP - April 2017 - 57
NMP - April 2017 - 58
NMP - April 2017 - 59
NMP - April 2017 - 60
NMP - April 2017 - 61
NMP - April 2017 - 62
NMP - April 2017 - 63
NMP - April 2017 - 64
NMP - April 2017 - 65
NMP - April 2017 - 66
NMP - April 2017 - 67
NMP - April 2017 - 68
NMP - April 2017 - 69
NMP - April 2017 - 70
NMP - April 2017 - 71
NMP - April 2017 - 72
NMP - April 2017 - 73
NMP - April 2017 - 74
NMP - April 2017 - 75
NMP - April 2017 - 76
NMP - April 2017 - 77
NMP - April 2017 - 78
NMP - April 2017 - 79
NMP - April 2017 - 80
NMP - April 2017 - 81
NMP - April 2017 - 82
NMP - April 2017 - 83
NMP - April 2017 - 84
NMP - April 2017 - 85
NMP - April 2017 - 86
NMP - April 2017 - 87
NMP - April 2017 - 88
NMP - April 2017 - 89
NMP - April 2017 - 90
NMP - April 2017 - 91
NMP - April 2017 - 92
NMP - April 2017 - 93
NMP - April 2017 - 94
NMP - April 2017 - 95
NMP - April 2017 - 96
NMP - April 2017 - 97
NMP - April 2017 - 98
NMP - April 2017 - 99
NMP - April 2017 - 100
NMP - April 2017 - 101
NMP - April 2017 - 102
NMP - April 2017 - 103
NMP - April 2017 - 104
NMP - April 2017 - Cover3
NMP - April 2017 - Cover4
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201912
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201911
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201910
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201909
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201908
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201907
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201906
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201905
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201904
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201903
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201902
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201901
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201812
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201811
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201810
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201809
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201808
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201807
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201806
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201805
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201804
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201803
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201802
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201801
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201712
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201711
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201710
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201709
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201708
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201707
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201706
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201705
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201704
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201703
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201702
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201701
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201612
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201611
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201610
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201609
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201608
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201607
http://www.nxtbook.com/nxtbooks/nmpmedia/nmp_201604
http://www.nxtbookMEDIA.com