The Financial Crimes Enforcement Network (FinCEN) and the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) both issued guidance this month about payments for ransomware. Their guidance didn’t break new ground, but it did reinforce the importance of verifying that organizations are not making payments to terrorist organizations or similar organizations under U.S. sanctions.
The guidance carried an underlying message: companies need to work with insurers and other ransomware response vendors that have extensive experience with facilitating such payments, conduct appropriate due diligence, and obtain prior authorization from the federal government. A company making a payment to an entity on the sanctioned list could face legal liability.
While the Treasury Department would prefer that companies not pay ransoms, the guidance recognizes that businesses targeted with ransomware frequently face the difficult choice of paying the demanded amount or shutting down entirely. So the Treasury and its agencies want those companies to work with insurers and vendors who understand the correct process.
The dramatic increases in ransomware have motivated businesses to enter the payment facilitation marketplace and led insurance carriers to dip their toes into cybersecurity coverage. Unfortunately, those new entrants often lack knowledge of the ransomware environment and who may actually be lurking behind the cryptocurrency wallets to which payments are made.
According to law firm BakerHostetler’s Digital Assets and Data Management group, ransom demands are also skyrocketing. “In 2018, the average ransom amount was $28,920. In 2019, the average ransom amount increased to $302,539. Ransom demands have continued to grow in 2020, and as our next report will reflect, we are seeing demands in excess of $50 million,” the firm recently noted.
Hylant works with experienced and highly specialized cybersecurity carriers and related vendors. They’re well-acquainted with the robust due diligence protocols the federal agencies expect to see, and their experience in handling payment requests helps them identify wallets and IP addresses linked with threat actors who may be on the sanctioned list. After all, they’ve been using these protocols long before the new notices were issued.
One firm that we frequently work with that is a specialist in preventing and mitigating cyber incidents, such as ransomware, advises companies to pay ransom only if payment is legally permissible and there is no other way to recover the data. The company uses a cryptocurrency investigation tool to analyze transactions and to identify red flags in connection with the OFAC Sanctions List. They also use malware analysis and threat intelligence research to track, study and identify risk factors associated with different malware variants—information valuable to and shared with law enforcement and federal agencies.
What happens if the federal government later discovers that a payment went to a banned organization? By being able to document the due diligence they performed, the carrier and/or vendor protects themselves and the client from liability.
As with any type of risk, awareness and preparation are the keys to preventing harm and loss. Given the degree of ransomware activity, if companies aren’t already working with specialized insurance carriers and cybersecurity experts, they need to start doing so immediately. It’s like fire protection: you don’t want to start thinking about alarms and sprinklers as the fire trucks are racing to your facility. The right cyber incident response vendors can help you reduce your own liability and handle attacks in the most effective and expedient way.
Not sure where to turn? Ask our team for recommendations.
The above information does not constitute advice. Always contact your insurance broker or trusted adviser for insurance-related questions.