Posted In: Business Transactions & Corporate Counseling & Cybersecurity & Data Privacy
By Jarman J. Smith on February 17, 2021
Ransomware is a problem that has continued into the new year, causing cyberattack insurers to consider limiting coverage while victims fear the threat of punishment for sending ransom funds to cyber-criminals listed on the U.S. government’s sanctions list. These hackers have gone so far as to steal sensitive personal information before locking victims out of their networks and demanding ransoms. In some instances, ransomware attackers have threatened to post stolen data on public forums or auction the information off to the highest bidder. The seemingly everlasting threat of ransomware has left many organizations desperately seeking solutions.
Ransomware attackers have certainly taken advantage of circumstances created by the COVID-19 pandemic. Hackers have begun exploiting communication gaps created by overextended IT staff members and distracted employees consumed with the transition to working remotely. Even hospitals working to treat coronavirus patients have fallen victim to malicious cybercriminals looking to receive quick ransom payouts.
To make matters worse, cybercriminal groups have expanded their operations by creating “ransomware-as-a-service” processes where the malicious actors rent out their ransomware tools for use by others. As ransomware attackers evolve, authorities tasked with combating these individuals and helping the victims have begun adapting as well. However, whether these adaptions in response to the ransomware problem are beneficial or crippling may be up for debate. Two particular developments in the ransomware ecosystem worth noting relate to sanctions against those paying ransoms and the growth of the cyber insurance industry.
Threat of Sanctions for Paying Ransoms
In October of 2020, the U.S. Treasury Department issued a warning that victims and the third-party companies that negotiate on their behalf may be penalized for paying ransoms to cybercriminals that are under economic sanctions imposed by the U.S. This warning is sure to make those impacted more cautious when making such payments. The strict liability nature of this warning may prove to be problematic, as anyone who sends funds to a sanctioned cybercriminal could be held liable even if evidence tracing the criminals to a sanctioned entity emerges after the fact. This places victims in tough situations as they must balance the need to recover any compromised information in a timely fashion with the responsibility to devote effort and time toward determining the identity and relationships of their hackers.
The Treasury’s Office of Foreign Assets Control (OFAC) has the authority to fine businesses up to $20 million, but it is still unclear how the agency will go about enforcing this new guideline. However, the OFAC has indicated that it will be more lenient with companies that self-report incidents to law enforcement, which will likely lead to authorities gaining a more detailed view of existing ransomware threats.
Cyber Insurance Industry
Claim numbers for cyberattack insurers have risen substantially within the past few years and ransomware attacks are one of the main factors responsible for this increase. In November of 2020, German insurer Allianz reported a 950% increase in cyber insurance claims over the last three years, recording 770 such claims in the first nine months of 2020 alone. Moreover, specialty insurer Beazley Group stated in June of 2020 that ransomware attacks reported to its breach response team climbed 25% during the first quarter of 2020. As the number of claims continues to increase, the cyber insurance industry is likely to consider raising premiums associated with ransomware incidents. However, insurers oftentimes pay the ransomware demands imposed upon their policyholders. Thus, as long as insurance companies continue covering these payments, insured companies are likely to settle for the higher costs of premiums. In addition to raising premiums, cyber insurers will most likely try to incentivize policyholders to take steps to prevent and mitigate cyberattacks. Preventing ransomware attacks altogether would be the ultimate goal for cyber insurance companies and their policyholders, because paying a ransom does not guarantee that cybercriminals will stop infiltrating a victim’s systems.
How Brouse Can Help
Brouse McDowell’s Cybersecurity and Data Privacy team can help before an incident occurs by preparing a cybersecurity plan and conducting a cyber-liability insurance review to mitigate the risk. Additionally, we can provide advice to your business regarding data compliance requirements, proactive solutions to defend against cyberattacks, and general guidance through the complexities of all data privacy laws and regulations. Our team offers a variety of data privacy and cybersecurity services, including pre-breach and cybersecurity planning, cybersecurity and data privacy transactional services, data regulatory compliance services, breach response and disclosure obligation services, cyber liability insurance review, and any related litigation issues regarding cybersecurity and data breaches (investigation, defense, insurance recovery and response). Please contact us for more information and to learn how we can partner with you.
This blog is intended to provide information generally and to identify general legal requirements. It is not intended as a form of, or as a substitute for legal advice. Such advice should always come from in-house or retained counsel. Moreover, if this Blog in any way seems to contradict advice of counsel, counsel's opinion should control over anything written herein. No attorney client relationship is created or implied by this Blog. © 2021 Brouse McDowell. All rights reserved.