On September 21, 2021 and October 15, 2021, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued reminders of the sanctions risks for facilitating ransom payments to designated malicious cyber actors.  As discussed in our prior blogpost on OFAC’s October 1, 2020 advisory, OFAC has made clear that it is increasingly willing to bring enforcement actions against entities, including cyber insurers, that facilitate payments to sanctioned threat actors on behalf of corporate victims.

This guidance should serve as a reminder to policyholders that ransomware and other cyber incidents trigger stringent regulatory and reporting requirements and that policyholders should consider engaging experienced advisors to develop a cohesive response strategy when cyber incidents occur.  OFAC’s guidance also should remind policyholders to carefully scrutinize cyber insurance coverages (and others) to ensure they provide the broadest possible coverage for cyber risks while still following OFAC guidance.

OFAC’s Recent Guidance and Trends in Ransomware

In its most recent guidance, OFAC has put insurers on notice that if they fail to comply with OFAC regulations, they face civil penalties and that OFAC may impose those penalties based on a strict liability legal standard.  OFAC has endeavored to clarify its intent moving forward by providing more detailed guidance for the public.  In addition to providing detailed case studies related to sanctionable conduct, risk assessment measures, and necessary internal controls, OFAC has also endeavored to update definitions which are implicated in the ransomware context such as “digital currency,” “digital currency wallet,” “digital currency address,” and “virtual currency.”

This guidance comes shortly after a US Treasury Department report on trends in ransomware.  The report shows that ransomware is an increasingly prevalent and expensive threat to businesses – the US Treasury Department has already observed that through June 30, 2021, the total value of suspicious activity associated with ransomware transactions in 2021 was $590 million, which exceeds the total value reported for all of 2020.

Reminders to Policyholders

These trends and guidance should serve as a reminder that policyholders need to carefully scrutinize coverage with insurance counsel and be willing to engage experienced advisors, including breach response counsel, ransomware specialists, and insurance counsel in the event of a cyber incident.

Along with cyber-specific policies, which will offer the most robust coverage for expenses and liabilities arising from a cyber incident, companies should evaluate their other key policies for coverage of losses related to a cyber incident; Kidnap, Ransom & Extortion; Crime; Directors & Officers; and even property insurance policies may provide more coverage.

These are just a few of the key issues and gaps that corporate policyholders should consider when reviewing their existing coverage:

1. Review sanctions exclusions, including sanctions exclusions endorsements, to ensure the insurer has implemented tailored language to acknowledge sanctions guidance, including OFAC guidance, but that the policy still allows the policyholder broad coverage as long as any payments do not run afoul of sanctions guidance.

2. Consider optional coverages, such as reputation loss coverage and public relations and crisis management coverage, to help mitigate the fallout from any cyber incident.

3. Request that any terrorism and war exclusions in cyber policies contain exceptions for cyber-terrorism and that all war exclusions be revised to apply only to physical war.

4. Ensure contractual liability exclusions contain carve-outs for liability that would exist in the absence of contract and an exception for actions brought by a payment card brand or acquiring brand, including payment card industry fines or penalties.

5. Make sure that exclusions for bodily injury or invasion of privacy are carved back so that they do not apply to otherwise covered claims arising out of a privacy breach.

6. Purchase express social engineering coverage on your company’s crime insurance policy to cover social engineering schemes and business email compromises that lead to fraudulent transfers.

Policyholders should work to identify and fill any gaps in their insurance program before renewal, including by eliminating problematic exclusions and endorsements in their cyber insurance policy, to ensure that they have adequate coverage for cyber incidents going forward.