In the wake of the Colonial Pipeline ransomware attack, which crippled gas lines on the East Coast—and resulted in a $4.5 million payout to the hackers—law enforcement agencies around the world are taking a closer look at the question, “Should companies pay when hit with ransomware?”
Increasingly, they’re urging victims not to give in to hackers’ demands.
A global coalition of cyber security experts, the Ransomware Task Force (RTF), has started urging governments to make it illegal for companies to pay a ransom. They argue a ban on paying hackers removes the burden of deciding from the victim, or in many cases their insurer, ultimately eliminating the attack’s profitability and forcing hackers to move on.
RTF bases its argument on the premise that paying ransom only emboldens hackers, and that cyber insurance carriers are partly to blame for the 147% increase in ransomware-related losses between 2018 and 2019.
Other security experts agree with RTF’s claim, arguing insurers are funding cyber crime—and worse. Some even go so far as to suggest cyber insurance careers would actively oppose making it illegal to pay ransomware demands, as it would eliminate their products’ unique value proposition.
But the truth is Cyber Insurance is only one part of the ransomware puzzle.
Is it Legal to Pay Ransomware Demands? The Answer is Complicated
In October 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) issued a bulletin regarding ransomware. It reiterated existing laws about paying ransom demands and cautioning companies against paying.
The upshot of OFAC’s bulletin is that companies should avoid paying ransom to prevent emboldening hackers from making more attacks—and that in some cases, paying a ransom is illegal.
Under U.S. law, companies and their insurers must confirm hackers have not been identified by OFAC as a specially designated national (SDN) or blocked person before making the payment. Paying one of these criminals—including the SamSam group, the Lazarus Group, the developer of CryptoLocker, and Evil Corp—could result in sanctions against a company that facilitates ransomware payments.
As you might expect, this state of affairs can prove challenging for a business. A company under attack is facing time constraints. Every minute that passes means more losses. Given the investigative challenges involved in finding the person or group responsible for the attack, many companies adopt a “pay now, ask questions later” approach.
Insurers are concerned about the legality of paying a ransom. There have been cases in which claims are denied. Insurance carriers are regulated entities, and therefore bear the responsibility to avoid facilitating payments to criminals on OFAC’s SDN list.
Bottom line? Ultimately, it’s the decision of the insured—not the insurance carrier—whether to pay ransomware demands, with the caveat that their losses may not be covered.
And the question “Should companies pay ransomware demands?” can’t ignore the fact many companies have a fiduciary duty to their shareholders to act in the business’s best interests. This duty could mean paying the ransom to get back online as soon as possible, but in most cases, insurance carriers work with the victims to develop alternatives.
Should Companies Pay Ransomware Demands?
The simple fact that insurance carriers aren’t the final arbiters in determining whether companies should pay when hit with ransomware is just one reason the burden of responsibility for cyber attacks doesn’t rest entirely on their shoulders.
It’s also worth noting that globally, only about 15% of companies actually have Cyber Insurance. There’s no evidence companies who have the coverage are any more or less likely to pay ransom demands. Without coverage, companies need to weigh the costs of paying against the costs of a prolonged outage, and are more likely to pay if they cannot absorb the hit.
Not to mention, companies with Cyber Insurance coverage have more options for managing attacks. Instead of simply paying the ransom because they believe they have no other options, they have access to experts who can help them through the problem and assist with recovery.
And whether it involves ransom or not, recovery is the primary objective. A recent report from Hiscox revealed insured cyber losses in 2019 reached $1.8 billion, up more than 50% over the previous year. Only a small portion of those losses were actual ransom payments. The remainder were associated with costs related to:
- Business interruption
- Breach notification
- Legal reviews
- Security improvements
- Network rebuilding
- Regulatory sanctions.
In most situations, insurance carriers agree with law enforcement: Companies should not always pay the ransom. Payments should only be made in extreme cases when there are no other options.
Cyber Insurance’s Role in Stopping Ransomware
Placing responsibility for the increase in ransomware attacks on Cyber Insurance carriers overlooks the potential for them to become valuable partners in the fight against cyber crime.
Cyber Insurance can help reduce the risk of a successful attack. The underwriting process demands information and action from insureds related to their security and threat mitigation efforts. Carriers make certain the insured parties are aware of threats, educate them on the changing threat landscape, and set standards for response. Coverage depends on adequate cyber hygiene, creating another layer of protection. If insureds don’t have adequate controls, they will find it hard to get coverage, pay a lot more, etc., so carriers are driving better cyber risk management during the underwriting process.
The insurance industry and law enforcement already work together, sharing threat intelligence and information. Strengthening these partnerships and developing better lines of communication can ensure ransom payments are only paid when no alternatives exist—and global law enforcement receives information it can use to track down and apprehend the criminals.
Helping Clients Understand Risk Exposure
Your clients may not understand their risk of exposure to ransomware and other threats. Most ransomware is not targeted. Even small businesses are at risk and may not survive an attack—even if they opt to pay the ransom.
Help your clients understand their risk with our free downloadable report, “Cyber Exposure: What’s the Real Cost?”
Using real-life examples from multiple industries, this report will help you clearly explain your clients’ potential risks and encourage them to get protection with a cyber policy.
Fill out the form to download either a ProWriters branded version or add your logo to our FREE white-label version. Give your clients the insight they need to protect themselves.