September 28, 2021

Volume XI, Number 271

Advertisement

September 28, 2021

Subscribe to Latest Legal News and Analysis

September 27, 2021

Subscribe to Latest Legal News and Analysis

While OFAC Cautions Cyber Insurers About Facilitating Ransomware Payments, Policyholders Should Ensure They’re Covered

Is it illegal for an insurer to pay the ransom demanded in a cyber extortion or ransomware attack on its insured? According to the US Department of the Treasury’s Office of Foreign Assets Control’s (“OFAC”) October 1, 2020 advisory (“OFAC Advisory”), in certain situations, it may be.

Ransomware attacks are cyber-attacks where a threat actor typically (1) demands a ransom in exchange for not encrypting data, destroying data, or blocking access to a computer system or data; or (2) demands a ransom in exchange for restoring access to a computer system or to unencrypt data that it has already encrypted.

Gone are the days where cybercriminals demanded relatively small amounts, such as during 2017s rash of WannaCry ransomware attacks, each which sought a ransom of $300 to $600 worth of bitcoin to restore access to encrypted data and computer systems. Now, threat actors commonly demand millions. And claims are becoming more prevalent. The OFAC advisory cites a 147% increase in ransomware losses between 2018 and 2019 and ZD Net recently reported ransomware incidents accounted for 41% of cyber insurance claims filed in the first half of 2020.

The OFAC Advisory makes clear its concern that the payment of ransom demands emboldens threat actors to engage in future attacks. Rather than presenting any new legal bases on which insurers or other companies might face sanctions relating to ransom payments, the advisory appears to serve as a cautionary reminder of existing law that would require insurers to first make sure the threat actor has not been identified by OFAC as a specially designated national or blocked person before making any ransom payment.

The practical problem for insurers and their insureds, however, is that it is exceptionally difficult to determine who the threat actor is during the short time constraints involved in ransomware attack ransom demands. And every hour that the insured’s company is crippled by the ransomware attack may translate to thousands, if not hundreds of thousands or millions, of dollars lost. This can present a particular problem for policyholders who thought they purchased insurance specifically to cover ransomware attacks and now may be facing a recalcitrant insurer.

Further, policyholders should note that in response to OFAC requirements and the advisory, some insurers are broadening OFAC and/or related exclusions in cyber insurance policies. Pay special attention to this issue in evaluating changes to your policies at renewal.

With respect to new or existing claims, policyholders should be aware that certain insurers might reserve rights regarding a particular claim and instruct the insured to act as a reasonably prudent uninsured would because the insurer cannot yet confirm or deny coverage. This situation would leave the insured in a precarious position, where it must decide whether to pay a ransom—and risk the ransom being uninsured—or not pay the ransom—and risk significant business interruption losses and other investigation and restoration costs while trying to restore data from backups. To help protect against this situation, corporate policyholders should ensure that they have at least the following insurance coverage

  1. a cyber insurance policy that provides ransomware/cyber extortion coverage; robust breach/security event response costs coverage; cyber liability coverage; network interruption coverage; and digital asset/data loss coverage to cover costs to restore or recreate electronic data lost due to the ransomware event;

  2. Kidnap, Ransom and Extortion that provides cyber extortion coverage (including coverage for not only a ransom demanded on the threat to block access to or encrypt data, but also a ransom demanded to restore access to a computer system or unencrypt data where the threat actor has already accessed the policyholder’s system); and

  3. directors and officers (“D&O”) liability insurance—without a cyber exclusion—to ensure coverage for any resulting shareholder, securities, or other suits against directors, officers, or the company arising out of the ransomware attack and any losses to the company or others resulting therefrom.

Policyholders are best served by hiring competent coverage counsel to evaluate their existing insurance program for cyber risks prior to renewal or policy procurement. Coverage counsel can then work with the policyholder and their broker to ensure that the policyholder obtains the best available coverage for ransomware risks before the policyholder experiences such an attack.

Further, in the event of a ransomware attack, policyholders should ensure that they promptly retain not only experienced and competent breach response counsel to guide them on the ransomware or cyber extortion response; but also competent coverage counsel to help them notify the appropriate insurers, analyze their policies for coverage, and guide them through the claims process.

Copyright © 2021, Hunton Andrews Kurth LLP. All Rights Reserved.National Law Review, Volume X, Number 308
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement
Advertisement

About this Author

Walter J. Andrews Insurance Attorney Hunton AK
Partner

Walter’s practice focuses on complex insurance litigation, counseling and reinsurance arbitrations and expert witness testimony.

As the head of the firm’s insurance coverage practice, Walter offers clients more than 30 years of experience managing insurance-related issues, including program audits, policy manuscripting, counseling, litigation and arbitration. He works with companies in a diverse range of industries, including financial services, consumer products, food and beverages, chemicals, real estate and municipalities. 

...
305 810 6407
Andrea DeField Associate Miami Insurance
Associate

Andrea finds risk management, risk transfer, and insurance recovery solutions for public and private companies.

Andrea has dedicated her career to helping clients manage risk and maximize insurance recovery. As part of her counseling practice, Andrea adds value to business deals by advising clients on contractual risk transfer through indemnity, additional insured, and required insurance provisions in contracts. She also helps clients identify and mitigate risk before a loss occurs by conducting insurance due diligence for mergers and acquisitions and by conducting audits of clients...

305-810-2465
Michael Huggins Insurance Lawyer Hunton Andrews Kurth Law Firm
Associate

Michael represents policyholders in complex and high-value coverage matters under commercial lines of insurance.

Michael advises and litigates on behalf of policyholders in seeking insurance coverage under commercial insurance policies. He has worked on multiple high-profile insurance cases and is experienced in analyzing and litigating coverage disputes under a wide range of insurance policies, including commercial general liability (CGL), directors and officers liability (D&O), errors and omissions liability (E&O), and other professional liability policies, such as...

415-975-3744
Advertisement
Advertisement
Advertisement