That is the question many cyber insurance policy holders will be asking when ransomware demand (aka “cyber extortion”) coverage becomes scarce and we could be headed in that direction.[1]
There has been an ongoing argument until now that had questioned whether cyber insurance carriers in assisting their policyholders with ransomware demands were contributing to the growth of ransomware demands. This debate is now over being that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) just determined the vote on this one. They have stated that cyber insurance firms, including financial institutions, and companies involved in digital forensics and incident reponse not only encourage future ransomware payment demands but also may risk violating OFAC regulations.
It is quite interesting that the U.S. Department of the Treasury has issued a warning to the cyber insurance industry against paying ransomware demands when in recent years several governmental agencies on both a federal and state level have held cyber insurance working sessions to facilitate the growth of the cyber insurance industry. NIST itself has recognized the role that cyber insurance can play in helping businesses respond to and recover from a cyber incident.[2]
Nevertheless, while this warning will certainly not cause ransomware insurance coverage to become extinct, the advisory has created a big risk for both the cyber insurance market and its policyholders. Especially when the advisory warning has not provided a solution to a problem that has escalated to a point that is beyond control. We all know that cyber criminals must be stopped and that ransomware demands have significantly increased especially during Covid-19. Yet, there is no definitive solution to stopping these demands in the interim.
The consequences of a ransomware attack can be severe and far-reaching—with losses of sensitive, proprietary, and critical information and/or loss of business functionality.[3] When a ransomware attack occurs, many companies choose to pay their ransomware demand in order to recover as much of their data as possible and get back to business quickly. There are certainly many others who have opted not to pay a ransomware demand and unfortunately ended up with significant costs and downtime. Some have even gone out of business due to the huge costs that outweighed the cost of staying in business.. While others were able and fortunate to stay in business, thanks to having cyber insurance.
Another ramification of the inability to make a ransom demand OFAC may not realize
Today, there are hundreds of thousands of contractual agreements in place (some being state level agencies and local governments) that require their vendors (our cyber insurance policyholders) to have and maintain cyber insurance that includes ransomware coverage. If this stark warning was intended to dissuade cyber insurers from making ransom payments at all, many of these contractual agreements would be put in danger due to a failure to maintain a contractual obligation. This could be very unsettling not just for cyber insurance policy holders but for the companies, organizations and state level agencies and governments that specify in their contracts that ransom demand coverage be included in their vendor’s cyber insurance policy. Nonetheless, while cyber insurers cannot just remove the coverage from cyber insurance policies, they have just been warned not to pay a ransomware demand to individuals or entities (“persons”) on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), other blocked persons, and those covered by comprehensive country or region embargoes (e.g., Cuba, the Crimea region of Ukraine, Iran, North Korea, and Syria).
This warning has the potential to leave many cyber insurance policyholders with a coverage gap and openly exposes them to breaching a contractual obligation, which is specifically excluded in many cyber insurance policies.
The cyber insurance industry is certainly not an incubator for cyber criminals nor do we want ransomware attacks to continue as the costs of ransom demands far outweigh the cost of cyber insurance premiums.
Fortunately, cyber insurance policies offer many other coverages in the event a ransom demand is not or cannot be paid. Coverage is offered for data loss and restoration, network interruption outages and costs, business income loss, reputational harm and the costs associated with notifying individuals of a data breach and more.
Indeed, it will be the cyber insurance policy holders that will pay the price in the event ransom payments are no longer allowed. This will cause cyber insurance premiums to increase due to the higher costs of dealing with data loss and longer periods of business network interruption which will lead to significant loss of revenues for insureds, and insurers. The segment that could be most impacted by this change will be SMEs as they will likely be priced out of the cyber insurance market. SMEs can’t afford to not have cyber insurance, as they are the segment that needs it the most.
When you drain a pond, we all know that what’s in the pond cannot survive. However, cyber criminals cannot be compared to such an idiom, as they are the water that goes into the pond. Therefore, when their livelihood is on the line this will only lead to new threats and attacks that can spiral out of control in other ways we cannot yet imagine.
While ransomware attacks are carried out against large corporations, many ransomware attacks also target small- and medium-sized businesses, local government agencies, hospitals, and school districts, which may be more vulnerable as they may have fewer resources to invest in cyber protection.[4] Unfortunately, for those aforementioned, losing ransomware demand coverage in their cyber insurance policy could prove to be devastating.[5]
This advisory is certainly a setback and a surprise to many due to its abruptness and what seems like a lack of any pre-warning. However, cyber insurance is the rock in the industry that will not be displaced due to the invaluable coverages that come into play in the crucial time of need. Many cyber insurance policy holders who have turned to their cyber insurance policies during their critical time of need can vouch for that.
Cyber insurance will continue to thrive and evolve just like it has since the late 90’s.
[1]Insurance Journal, U.S. Treasury Warns Cyber Insurers Against Paying Ransomware Demands: https://www.insurancejournal.com/news/national/2020/10/01/584906.htm
[2] R Street Institute, https://www.nist.gov/system/files/documents/2017/04/19/2017-04-10_-_r_street_institute.pdf
[3] FinCen Advisory, FIN 2020-A006 (October 1, 2020) available at https://www.fincen.gov/sites/default/files/advisory/2020-10-01/Advisory%20Ransomware%20FINAL%20508.pdf
[4] Advisory. US Dept of the Treasury. Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (October 1, 2020) available at https://home.treasury.gov/system/files/126/ofac_ransomware_advisory_10012020_1.pdf
[5] AP News, German hospital hacked, patient taken to another city dies, https://apnews.com/article/technology-hacking-europe-cf8f8eee1adcec69bcc864f2c4308c94