Navigating Ransomware Attacks: Insurance Coverage Best Practices
Ransomware attacks have become increasingly sophisticated and frequent, particularly in the wake of COVID-19, and ransom demands have steadily increased in size. Victims have paid more than $ 70 million to unlock their compromised networks and return stolen confidential data.
In light of this ever-growing cyber threat, it’s important to understand the changing legal and regulatory landscape in order to take appropriate action at the first sign of an attack. Additionally, in order to maximize the recovery of costs spent and ransom payments made, it is crucial to immediately involve your insurers and make an effort to understand how to best prepare your response to breaches.
Insurance coverage for ransomware attacks
Various insurance policies can cover a business’s losses and costs resulting from a ransomware attack. Cyber liability insurance policies are the most common and targeted sources of such coverage. You may also have coverage available in first party property policies and kidnapping / ransom or special crime policies, to name a few.
Under many cyber liability insurance policies, losses covered may include those incurred: to retain the services of an IT investigative firm, a data breach legal advisor, a relationship firm public services, a crisis management firm, a law firm, call center services, identity monitoring and protection services or medical identity restoration services; comply with applicable privacy regulations and inform data subjects; and, perhaps most importantly, to pay the ransom demanded by the attacker to restore your business operations.
It is important to note that often these costs can only be covered if your insurer has previously approved them. Indeed, some insurers provide a list of acceptable or pre-approved suppliers, and require the insured to use alone them. Therefore, it is important to engage your insurer (or trusted broker) immediately after the first sign of an attack in order to maximize the potential for coverage and restore operations.
In response to the increased volume (and cost) of ransom demands, many insurers have placed additional restrictions on ransomware coverage. Some policies specify that coverage for ransomware attacks will be provided in the form of reimbursement, which means that your business will have to bear the necessary costs and submit proof of loss for recovery. Others reduce the limits available to pay a ransom or require coinsurance so that the company has to pay a larger share of the ransom.
The OFAC obstacle
Since insurance coverage may be void if actions by the insured are found to be illegal, the Office of Foreign Asset Control (OFAC) has issued advisories regarding companies considering paying ransom and seeking coverage. for a ransomware attack, as well as insurers and other companies that facilitate the payment of a ransom.
OFAC, a financial intelligence and enforcement agency of the US Treasury Department, administers and enforces economic and trade sanctions in support of US national security and foreign policy objectives. Under the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. persons and entities are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN list) and those covered by full country or region embargoes (such as Cuba, Iran, South Korea, North and Syria).
The Treasury Department issued an advisory on October 1, 2020, outlining the risks of violating these regulations with respect to ransomware requests, and essentially discouraging ransomware payments. He precised : “[c]Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance companies, and businesses involved in digital forensics and incident response, not only encourage future ransomware payment claims, but may also risk violating OFAC regulations.
An updated advisory, released on September 21, 2021, largely mimics the October 1, 2020 advisory, including the general discouragement of ransomware payments. It also adds advice on mitigating factors, such as prompt reporting of the attack and cooperation with law enforcement, which would bode well for a victim who paid a ransom in violation of the aforementioned regulations.
These regulations and associated guidelines have major implications for a victim of a ransomware attack. Because an entity is prohibited by law from engaging in transactions with individuals or entities on the SDN list and imposing penalties for those directly and indirectly involved, it may truncate a victim’s efforts to mitigate an attack by those individuals or entities and restore operations. It could also discourage third-party providers from participating in response efforts, including your insurer’s willingness to pay costs or losses. At a minimum, it requires additional due diligence before a company decides to pay a ransom.
Realizing that his actions are criminal, identifying the hacker adds even more complications. Businesses typically need to hire an experienced forensic firm to determine the plausible identity of a hacker or, at the very least, exclude members of the SDN list using geolocation, targeted infrastructure, servers used, tactics employed and other data points. Forensic firms will often work with company insurers. The resulting report usually becomes a key element in determining next steps, including, perhaps most importantly, the insurer’s willingness to cover the claim.
These reports, however, are not screened. Even if it is determined that the hacker is not a member of the SDN list, it is still possible (although not necessarily likely) that the hacker was ultimately a member of the SDN list. The updated OFAC opinion in 2021 identifies several potential mitigating factors in the event that a company is exposed to potential law enforcement: having an adequate sanctions compliance program; take meaningful steps to reduce the risk of extortion by adopting or improving cybersecurity; and report promptly to law enforcement and cooperate with them.
Prospective cyberattack legislation
A week after OFAC released its September 21, 2021 opinion, the U.S. Senate Homeland Security Committee introduced ransomware legislation. If enacted, the bill would require (1) critical infrastructure companies to report cyber attacks to the federal government within 72 hours, and (2) all nonprofits, companies over 50 employees and state and local governments to report their ransomware payments, if any, within 24 hours of that payment to the federal government. The bill would also give the Cybersecurity and Infrastructure Security Agency the power to subpoena entities that fail to report cybersecurity incidents or ransomware payments, and those who do not comply with the subpoena would be referred to court. Department of Justice and prevented from contracting with the federal government. government.
Of course, this legislation has not been enacted, but given the requirements and the potential repercussions for victims of ransomware attacks, it is important for companies to monitor any future developments.
Prepare a contingency plan now: you will need to be ready to act quickly if you ever face an attack. Review your insurance program for sources of potential coverage, including cyber liability, first party property, and kidnapping / ransom crime policies. If you are unsure of where to look, your insurance broker or legal advisor will be able to assist you in these efforts and help you identify the path to maximum recovery. Identify your preferred incident response professionals and providers ahead of time. If your insurers require the use of particular providers, discuss this in advance with your insurers.
Timely report the attack to the FBI and the Internet Crime Complaint Center (IC3). If you are diligent in writing these reports and follow the advice of a reputable forensic firm, OFAC may consider these factors to be important in determining an appropriate enforcement outcome if it is later. determined that the situation is related to sanctions.
Finally, stay up to date with new ransomware legislation. If enacted, such legislation may impose additional barriers on businesses facing a ransomware attack.
J. Andrew Moss is a partner in Reed Smith’s Chicago office and a member of the Insurance Recovery Group. He represents policyholders in a wide range of insurance litigation, including cyber liability, directors and officers liability, errors and omissions liability, fiduciary liability, employment practices liability and liability. general business responsibility. He can be contacted at [email protected].
Jessica gopiao is a litigation lawyer in Reed Smith’s Miami office and a member of the firm’s Insurance Recovery Group. She focuses her practice nationwide on the representation of corporate, individual and commercial policyholders. She can be reached at [email protected].
David M. Cummings is a litigation partner in the firm’s Chicago office and a member of the firm’s Insurance Recovery group. He represents corporate policyholders in litigation relating to cyber liability, general civil liability, property, directors and officers and professional liability insurance coverage. He can be contacted at [email protected].