Is it illegal for an insurer to pay the ransom required in a cyberbullying or ransomware attack against its insured? According to the US Department of the Treasury Office of Foreign Assets Control (“OFAC”) on October 1, 2020, it may in some situations be.
Ransomware attacks are cyber attacks where a threat is typically (1) requiring a solution in exchange for not encrypting data, destroying data or blocking access to a computer system or data; or (2) requires a password in exchange for restoring access to a computer system or for encrypting data that it has already encrypted. anyone who sought a redemption of $ 300 to $ 600 in value bitcoin to restore access to encrypted data and computer systems. Now, threatening actors usually demand millions. And claims are becoming more common. OFAC advice cites a 1
OFAC advice clarifies its concern that payment of redemption requires that actors threaten to participate in future attacks. Instead of presenting some new legal bases for which insurers or other companies may be subject to sanctions in connection with redemption payments, the advisory seems to serve as a warning reminder of existing law that would require insurers to first ensure that the threat actor has not been identified by OFAC as a specially designated citizen or blocked person before any redemption payment is made.
The practical problem for insurers and their insured, however, is that it is exceptionally difficult to determine who the threat actor is during the short time limits in the ransomware attack. redemption requirements. And every hour that the insured's business is paralyzed by the ransomware attack, it can translate into thousands, if not hundreds of thousands or millions of dollars, of lost dollars. This can be a particular problem for policyholders who thought they bought insurance specifically to cover ransomware attacks and may now face a conflicting insurance company.
Furthermore, policyholders should note that in response to the OFAC requirements and the advisory, some insurers broaden OFAC and / or related exemptions in cyber insurance. Pay special attention to this issue when evaluating changes to your renewal insurance policies.
In the case of new or existing claims, policyholders should be aware that some insurers may reserve rights for a particular claim and instruct the insured to act as a reasonable precaution. uninsured would because the insurer can not yet confirm or deny coverage. This situation would leave the insured in an uncertain position, where he must decide whether to pay a ransom – and risk that the ransom is uninsured – or not pay the ransom – and risk significant business interruptions and other investigation and restoration costs while trying to recover data from backups. To protect against this situation, corporate policyholders should ensure that they have at least the following insurance coverage
- a cyber insurance that provides ransomware / cyber blackmail coverage; robust coverage for intrusions / security incidents; cyber liability coverage; network interruption coverage; and digital access / data loss coverage to cover the cost of recovering or recovering electronic data lost due to the ransomware event;
- Kidnap, Ransom and Extortion which provides coverage for cyberbullying (including coverage for not only a solution required for the threat to block access to or encrypt data, but also a solution required to restore access to a computer system or encrypt data there the threat actor already has access to the policyholder's system); and
- liability insurance for board members and executives ("D&O") – without cyber exemption – to ensure coverage for all resulting shareholders, securities or other lawsuits against board members, executives or the company arising from the company's ransomware attack and any or others derived from this.
Policyholders are best served by employing competent coverage advice to evaluate their existing cyber risk insurance program before renewing or procuring insurance. Coverage advice can then work with the policyholder and their broker to ensure that the policyholder receives the best available coverage for ransomware risks before the policyholder experiences such an attack.
Furthermore, in the event of a ransomware attack, policyholders should ensure that they immediately retain not only experienced and competent infringement instructions to guide them about ransomware or cyberbullying. but also competent coverage advice that helps them notify appropriate insurers, analyze their insurance principles and guide them through the claims process. Catalog