Ransomware attacks have been in the news for years, with many stories about organizations making the difficult choice of losing their data, or paying to have their data unlocked. But as of October 1, 2020, it is an entirely new reality and cyber experts, at least in the US, must now contend with new regulations that could be a big problem. Ransom payments are essentially banned by the U.S. Treasury, and your insurance probably won’t help much!  This article will review some of the recent changes and how they might affect your organization and the protection you believe is available from your insurance carrier.  Watch out!

Insurance and risk management experts are advising that the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) advisory of 10/1/2020 is going to have a significant impact on both Cyber Liability and Kidnap & Ransom (K&R) policies. At issue are payments to organizations or entities that OFAC considers “terroristic” or supporters of terrorism.

Below you will find three links to articles describing the issues associated with the advisory. The National Law Review article has a link to the actual OFAC advisory, which I suggest you download and review on your own.

In essence, the articles all make these points perfectly clear:

• US Treasury OFAC is not a proponent of US organizations paying ransoms
• The onus to prove the ransoming entity is NOT a terrorist is on you
• You can’t escape the fines, seizures and other penalties OFAC can impose because the insurance company or the security company makes payments on your behalf

Article 1, National Law Review

Article 2, CSO (Chief Security Officer)

Article 3, US Department of the Treasury

In the past several months, I have heard of several organizations in various verticals and sizes that have suffered significant ransomware attacks. Each had a Privacy & Cyber Liability Insurance (CLI) policy. These policies typically have multiple elements and provisions, most with a Network Security Liability provision.  This portion of the policy should ostensibly pay ransomware (subject to policy conditions) up to its limit. In the cases I have become aware of over the past several months, the attacks penetrated organizations’ systems via security flaws in outside, 3rd party systems. In other words, the hackers gained access to the insureds’ systems via access granted to “trusted” outside vendors.  Essentially, this is what happened in the still-evolving front-page-headline-making, public trust/reputation, and revenue-killing SolarWinds hack.

In the ransomware cases I mentioned above, the FBI was involved.  They determined the hacks were of such sophistication that there was nothing they could do to recover the data. The FBI stated, on the record – if the victimized organizations wanted to pay the ransom to unlock their data, they (the FBI) would not consider that a violation of U.S. law.

However, per the October advisory, unless the FBI obtains specific written authorization from OFAC on behalf of the victimized organization, or the victim obtains approval from OFAC directly, OFAC has the power (and apparently the intention) to consider ransomware payments in violation of their October 1, 2020 statement.  The October advisory forbids payments to terrorist organizations. Therefore, the only path to legally paying a ransom is for the OFAC to determine that the hacker is NOT a terrorist organzation and approves the payment based on that determination. If ransom is paid without this prior determination, the OFAC may use its independent power and authority to impose fines, seize the victimized organization’s bank accounts, etc.  The advisory explicitly mentions that it applies to insurers, so having the insurer pay the ransom on behalf of the policyholder will NOT exempt either the victim or the insurer from penalties being imposed by OFAC. `

The consensus among some in the legal community is that even if there is a likelihood that the attackers are NOT terrorists, OFAC will not be issuing any authorizations for ransom payments. This is where a specialized cybersecurity/privacy attorney is vital to getting OFAC to let you pay the ransom, if and only if that is decided as the best course of action. Combine this disallowance of ransom payment situation with the newest bad actor tactic of double extortion (bad actor ransoms your data AND threatens to tell authorities you have been breached or make the data public if you do not timely pay, thereby likely tripping other fines and penalty provisions), and organizations can really be in dire straits; darned if they do and darned if they don’t!

Obviously, this would apply to K&R payments as well. An interesting twist with K&R is that almost all of the policies are issued by foreign insurers or Lloyds syndicates, so there may be other legal/jurisdictional wrinkles about the insurers’ liability for such payments in K&R, but probably not the insured’s potential liability.

Here are five key takeaways:

1. In the remainder of 2021, look for significant market changes in available insurance coverages in response to the OFAC advisory.
2. Existing cyber policies likely cannot be relied upon to pay all ransomware related demands since insurers are aware of this advisory.  The OFAC advisory clearly indicates that insurers, banks, and even security companies involved in paying or facilitating the ransom can be held liable. Therefore, before this becomes an issue for your organization, it is critical to have an ongoing relationship with a cybersecurity/privacy expert attorney.
3. All organizations need to raise efforts in their security training, and awareness programs (SETA), particularly about phishing, all its variants, email scams, and other fraudulent access schemes to avoid compromise in the first place.
4. Dramatically ramp up your own incident response plan (IRP) capabilities, including exercising your three-part (preparation/response/recovery) IRP and significantly step up your third-party vendor/supply chain information security program.  A full, objective cyber risk review of your organization self and your suppliers is likely an excellent start.
5. Data backups need to be reviewed to determine if they are sufficient to provide protection from ransomware attacks that encrypt data. I recommend using 3-2-1 backups.  That is, you should have three copies of your data (your production data and 2 backup copies) on two different media (e.g., local disk and cloud) with one copy off-site for disaster recovery, preferably air-gapped (a security measure that involves isolating a computer or network and preventing it from establishing an external connection; capable of being taken off-line) if feasible. 

Most organizations mistakenly still do not perceive themselves to be a ransomware target. That is simply not true anymore. If your data and ability to interact with it is important to you, then the bad actors see it as a revenue stream for themselves; they can and will try to ransom it!  These ransomware attacks are sophisticated, ever-evolving, and set the ransom at an amount commensurate with the victim.  I have seen ransom demands as low as $45K.  By the way, that is usually more than the cost of a cyber risk review, which would help prevent you from falling victim in the first place! In many other instances, the ransom demand is exactly the limit of liability for the CLI policy’s Network Security portion.  Of the five key takeaways, the quickest and likely least expensive defensive aid is SETA, quickly and closely followed by significantly beefing up your incident response capabilities BEFORE an event.

In conclusion, if an organization suffers a compromise,  they absolutely need a top-notch data forensic firm to investigate the depth and source of the attack to help prevent a repeat.  Yes, repeat ransomware attacks occur more than 50% of the time without professional forensics being engaged.  I highly recommend engaging firms that are experts in that specialty.  The need for true experts also applies to the data recovery firm, the negotiators, your P.R. firm, and your attorney.  Why go to the expense of hiring these outside pros? Consider this: Your managed services provider (MSP), I.T. generalist, or internal I.T. department just let you get compromised. Do you really think they can be objective and completely relied upon to set things right again without all the outside experts?