Is it illegal for an insurer to pay the ransom demanded in a cyber extortion or ransomware attack on its insured? According to the US Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) October 1, 2020 advisory (“OFAC Advisory”), in certain situations, it may be.
Ransomware attacks are cyber-attacks where a threat actor typically (1) demands a ransom in exchange for not encrypting data, destroying data, or blocking access to a computer system or data; or (2) demands a ransom in exchange for restoring access to a computer system or to unencrypt data that it has already encrypted.
Gone are the days where cybercriminals demanded relatively small amounts, such as during 2017s rash of WannaCry ransomware attacks, each which sought a ransom of $300 to $600 worth of bitcoin to restore access to encrypted data and computer systems. Now, threat actors commonly demand millions. And claims are becoming more prevalent. The OFAC advisory cites a 147% increase in ransomware losses between 2018 and 2019 and ZD Net recently reported ransomware incidents accounted for 41% of cyber insurance claims filed in the first half of 2020.
The OFAC Advisory makes clear its concern that the payment of ransom demands emboldens threat actors to engage in future attacks. Rather than presenting any new legal bases on which insurers or other companies might face sanctions relating to ransom payments, the advisory appears to serve as a cautionary reminder of existing law that would require insurers to first make sure the threat actor has not been identified by OFAC as a specially designated national or blocked person before making any ransom payment.
The practical problem for insurers and their insureds, however, is that it is exceptionally difficult to determine who the threat actor is during the short time constraints involved in ransomware attack ransom demands. And every hour that the insured’s company is crippled by the ransomware attack may translate to thousands, if not hundreds of thousands or millions, of dollars lost. This can present a particular problem for policyholders who thought they purchased insurance specifically to cover ransomware attacks and now may be facing a recalcitrant insurer.
Further, policyholders should note that in response to OFAC requirements and the advisory, some insurers are broadening OFAC and/or related exclusions in cyber insurance policies. Pay special attention to this issue in evaluating changes to your policies at renewal.
With respect to new or existing claims, policyholders should be aware that certain insurers might reserve rights regarding a particular claim and instruct the insured to act as a reasonably prudent uninsured would because the insurer cannot yet confirm or deny coverage. This situation would leave the insured in a precarious position, where it must decide whether to pay a ransom—and risk the ransom being uninsured—or not pay the ransom—and risk significant business interruption losses and other investigation and restoration costs while trying to restore data from backups. To help protect against this situation, corporate policyholders should ensure that they have at least the following insurance coverage
- a cyber insurance policy that provides ransomware/cyber extortion coverage; robust breach/security event response costs coverage; cyber liability coverage; network interruption coverage; and digital asset/data loss coverage to cover costs to restore or recreate electronic data lost due to the ransomware event;
- Kidnap, Ransom and Extortion that provides cyber extortion coverage (including coverage for not only a ransom demanded on the threat to block access to or encrypt data, but also a ransom demanded to restore access to a computer system or unencrypt data where the threat actor has already accessed the policyholder’s system); and
- directors and officers (“D&O”) liability insurance—without a cyber exclusion—to ensure coverage for any resulting shareholder, securities, or other suits against directors, officers, or the company arising out of the ransomware attack and any losses to the company or others resulting therefrom.
Policyholders are best served by hiring competent coverage counsel to evaluate their existing insurance program for cyber risks prior to renewal or policy procurement. Coverage counsel can then work with the policyholder and their broker to ensure that the policyholder obtains the best available coverage for ransomware risks before the policyholder experiences such an attack.
Further, in the event of a ransomware attack, policyholders should ensure that they promptly retain not only experienced and competent breach response counsel to guide them on the ransomware or cyber extortion response; but also competent coverage counsel to help them notify the appropriate insurers, analyze their policies for coverage, and guide them through the claims process.