On December 13, 2021, workforce management solutions company Ultimate Kronos Group (“UKG”) announced that it had suffered a ransomware attack two days earlier. The attack impacted UKG’s Kronos Private Cloud, causing various HR-related applications to be unavailable. The impacted HR-related applications are used by UKG’s customers to track employees’ hours and issue paychecks, among other HR-related functions. Upon discovery of the incident, UKG notified approximately 2,000 affected customers that the applications they rely on for these functions were unavailable, which included many WTW clients.
A number of affected WTW clients chose to report the incident to their cyber insurers as a notice of circumstance since they were unaware whether their data or protected information for which they are responsible (such as that belonging to their employees or customers) had been compromised as a result of the ransomware attack. Clients also reported the incident to their cyber insurers as potential business interruption loss caused by the inability to access the private cloud platform.
How have clients been impacted?
While investigations are ongoing as to whether there is any evidence of exfiltration of client data as part of the ransomware attack, several clients have been fortunate to receive confirmation from UKG that their data was not compromised or exfiltrated as a result of the incident. However, in an abundance of caution, some clients have sought coverage under their cyber insurance policies for consultation with breach counsel to ensure that they are properly complying with any applicable privacy regulations in the event they ultimately discover and/or are informed that their data has been compromised. Since the Kronos Private Cloud is used for HR-related purposes, clients share employee data with UKG, which increases the risk of potential compromise of protected information. However, based on the limited information available at this time, it appears unlikely that many clients will be seeking coverage under their cyber insurers’ data incident response expense coverages. But, to the extent that they do seek coverage under this insuring agreement, it appears unlikely that clients will be incurring significant costs, especially since UKG would presumably cover the cost of notification and monitoring protection services. It should be noted that we have not yet learned of any clients whose networks or computer systems have been compromised as a result of the Kronos ransomware attack.
From a business interruption loss perspective, many affected clients were forced to scramble when the Kronos applications became unavailable. For example, some clients were forced to manually process paychecks or resort to manual timekeeping. The question of whether clients will be able to recover for these expenses under their cyber policies’ business interruption coverages will ultimately hinge on how the policies define business interruption loss or extra expenses. Typically, “business interruption loss” is defined as income loss – which raises the question of whether the failure to track employee hours or issue paychecks constitutes a loss of business income. However, different insurers’ cyber policies define “extra expenses” in various manners – some policies define such expenses as those incurred to reduce loss of income, whereas other policies define “extra expenses” more broadly to include expenses incurred over and above the company’s ordinary expenses, and as a result of the event.
While clients evaluate whether to submit claims for business interruption loss or extra expenses to their cyber insurers, we recommend that all affected clients review their service agreements with UKG to evaluate potential recovery options, including whether some or all potential business interruption-related expenses are recoverable from UKG. The potentially applicable policies’ Subrogation and Recovery provisions may require that an indemnification demand against UKG be made or at least preserved.
What should you do?
We recommend that clients maintain detailed records regarding expenses incurred due to manual timekeeping or payroll processes. Furthermore, clients should review their cyber insurance policies to determine whether a proof of loss for business interruption loss needs to be submitted by a particular deadline and/or whether a ransomware event sublimit or coinsurance applies. Lastly, clients may want to consider engaging a forensic accountant to discuss potential recovery for business interruption loss and extra expenses. To the extent that you have questions about the coverage that may be available to you under your cyber insurance policy, please consult with your WTW claims advocate or broker.
