Ransomware attacks and ransom demands continue
to be a major concern for cyber insurers and insurance buyers alike. Attackers
are using ransomware to target businesses of all sizes with greater frequency,
and their attacks are growing more severe. Ransom demands of $1 million or more
are now routine, and some demands have exceeded $10 million.
Ransomware payments — and their reimbursement under insurance
policies — remain a controversial topic because of their potential for moral
hazard and the possibility that such payments will fund international criminal,
terrorist, and/or state-sponsored cyber actors.
OFAC alert highlights
On October 1, 2020, the US Treasury Department’s Office of Foreign Assets
Control (OFAC) published an advisory that addresses this issue.
OFAC’s advisory reiterates the prohibition against US businesses and persons
conducting business or paying funds to any person on the “Specially Designated
Nationals and Blocked Persons” (SDN) list. US companies can be sanctioned for
any violation of OFAC’ rules, even if they do not personally execute a
transaction or know that a payment is being made to a prohibited organization
For several years, OFAC regulations have restricted the ability
of ransomware victims to pay attackers on the SDN list, regardless of whether
the attacker is believed to be sponsored by an OFAC-prohibited state — for
example, Iran or North Korea — or designated by OFAC as a malicious cyber actor
— for example, Evil Corp. The advisory highlights potential sanction risks in
the payment of cyber extortion demands. It encourages companies and their
advisors to report cyber extortion attacks to law enforcement and to contact
OFAC immediately if they believe a request for a ransomware payment may involve
a prohibited organization or person. The advisory does not address the process
or timing of responses by OFAC.
As OFAC makes clear, the recent advisory does not change any
applicable laws, regulations, or guidance in relation to payments being made in
connection with ransom demands. Instead, it serves as a reminder — to US
companies, ransom payment facilitators, and cyber insurers — that a regulatory
framework on ransomware already exists and applies in these circumstances.
Conducting OFAC reviews
Ransom payments and related investigation and negotiations expenses remain
covered losses under the cyber extortion component of most cyber insurance
policies. While other coverage and public policy considerations may prohibit
them, the payment of extortion demands by US companies and reimbursement by
cyber insurers is not prohibited by OFAC, unless a payment is being made to an SDN.
However, ransomware victims, ransom payment facilitators, cyber insurers, and
participating financial institutions remain prohibited from doing business with
any parties on the SDN list, including payment of a ransom.
To reduce their risk of an OFAC sanctions violation, businesses
should confirm that an OFAC review, often performed by a ransom payment
facilitator, is completed prior to paying any ransomware demands. As noted in
the advisory, organizations should also consider notifying law enforcement prior
to paying any ransom; this may be taken into account by the Treasury Department
when considering subsequent enforcement action.
Reassessing ransom incident response plans
The OFAC advisory makes it all the more important for businesses to have an
OFAC compliance program in place that specifically addresses the possibility of
a ransom demand during a cyber event.
More broadly, companies that are reassessing their ransomware
response practices in light of OFAC’s recent statement should take this
opportunity to reevaluate all aspects of their cyber incident response program.
Organizations should review their plans with all key stakeholders that will be
engaged during or following a ransomware incident, including parties that
specialize in ransomware response.
As they review these plans, companies should:
- Review the OFAC policies and procedures of all parties that may
be involved in a payment to threat actors. Beyond ensuring their own compliance
with OFAC policies, businesses should be mindful that their payment
facilitators, cyber insurers, and participating financial institutions are also
subject to OFAC regulations. At the time of an incident, ransom negotiators
generally take the lead in this type of analysis and can supplement the OFAC
SDN list with their own list of prohibited threat actors; although this step is
not specifically required by OFAC, it can offer added protection. Organizations
should also seek an OFAC certification from a ransom payment facilitator after
any payment is made.
- Evaluate how all contractual arrangements with external parties
on the incident response team address OFAC-related liabilities. Given the
strict liability provisions included in OFAC regulations, representations of
compliance with OFAC or indemnification/hold harmless provisions should be
- Consider reassessing company policies regarding the payment of
extortion demands generally, and cyber demands specifically. Extortion payments
can shorten the duration of an event and reduce its impact, but should be
weighed against other factors, including corporate codes of conduct, bylaws,
and reputational risks.
- Ensure alignment of ransomware response plans with other
critical incident response plans, including business continuity, disaster
recovery, and crisis management plans, in order to streamline response in the
event that multiple response plans are triggered. This can help eliminate
redundant or inefficient actions, improve coordination of effort, and reduce
the chance for missteps. In their incident response plans, organizations should
also consider the potential timing of securing any necessary OFAC clearance.
Mitigating Ransomware Risk
In addition to reviewing programs designed to ensure OFAC compliance,
organizations should seek to minimize the risks of ransomware and, where
possible, mitigate factors that increase the likelihood or necessity of a
ransomware payment. Specifically, companies should:
- Review and consider strengthening backup data and data
restoration plans. This can reduce the risk of material data loss and business
interruption in the event data or systems are infected, and may be a factor in
deciding whether to make an extortion payment.
- Reassess data retention and security practices to eliminate
the risk of exfiltration of personally identifiable information. The threat of
disclosure of sensitive information by bad actors is frequently a major factor
when a company is deciding whether to make a ransom payment.
- Address remote desktop protocol (RDP) vulnerabilities, including
closing any open RDP ports and moving any required RDP access behind a VPN.
Victor Can Help
The shift to working from home in 2020 has led to an unprecedented increase in
cybersecurity risk — including ransomware — across businesses of all sizes.
Victor specializes in the needs of small to mid-size organizations to protect
their businesses from cyber-related loss. The Victor Cyber policy was designed
with a clear focus on the risk management and cyber insurance needs of
businesses across a broad range of industries.
Brokers can quote and
bind coverage online through V2 or by
For more information,
contact your Victor underwriting team or visit victorinsurance.com/cyber.
Download a printer-friendly