You may have read the numerous recent advisories regarding ransomware payments. The advisories seem to provide mixed messages — don’t pay ransom; it is ok to pay ransom; we don’t care if you pay ransom; or only pay ransom when. This leaves our brokers and policyholders with more questions than answers.
When focusing on ransomware advisories, one thing is clear, and we have all been warned repeatedly: ransomware is on the rise and not going away any time soon.
Ransomware is a specific type of malware that locks the files on your computers unless a ransom is paid. Typically, ransomware is downloaded via email attachments and can even be embedded in common Office documents. When the unsuspecting user opens the file, malware encrypts the user's files and replaces them with ransom notes.
These advisories that report assaults by cyber criminals are supported by what Coalition recently discovered in our 2020 Cyber Insurance Claims Report. In 2019, 41% of the claims reported to Coalition involved ransomware.
In 2020, Coalition observed a 47% increase in the average ransom demand. To make matters worse, recent news reports show company data being held hostage for $15, $30 and even $50 million ransoms. So what is a company to do? Is ransom being paid?
The October 2020 OFAC advisory from the Department of Treasury offers the most recent guidance regarding sanctions for the payment or facilitation of ransomware payments. It’s important to note that the advisory doesn’t change any existing laws or sanctions — it merely reinforces the existing law.
Specifically, the U.S. Treasury made clear it does not approve of ransom payments (due to U.S. Security concerns for providing funds to foreign threat actors), but it will not prevent payments so long as the payor follows the rules.
While the most recent advisory does not lay out all of the rules and compliance requirements to follow when making a ransom payment, the advisory does lay out some simple steps that must be followed:
1) OFAC does not ban the payment of ransom — it merely reinforces that you cannot make a payment to an individual or entity that is on the OFAC sanctions list. This list is available through OFAC’s website and must be checked prior to making a ransom payment to ensure that you are not paying a sanctioned entity.
2) If you discover that the entity or person you are going to pay is a sanctioned person or entity, the advisory makes clear that you MUST follow the rules and seek approval from OFAC before a payment is made. Failure to do so may result in substantial fines and penalties.
Play nice with law enforcement if you experience a ransomware attack. Complete an IC3 report, reach out to your local FBI office when an event occurs, and share information with the FBI when requested.
All of this will help “mitigate” any fines or penalties should law enforcement or the U.S. Treasury come knocking on your door later. In fact, chances are you will gain from the information sharing with law enforcement, especially as new variants of malware are released.
So what does that mean for you, a company with insurance through Coalition? Nothing, because nothing has changed. That is because Coalition maintains robust compliance measures when making ransomware payments, and continues to work to ensure that payments are made within the law, including the facilitation of OFAC licenses where those may be required.
Further, Coalition will continue these efforts through active dialogue with law enforcement and the U.S. Treasury, seeking continued guidance. We will make every effort within the law to provide all coverages afforded under our policy.
During this time, Coalition’s mission is unchanged, and we will do everything in our power to solve cyber risk for you and your clients. If you have questions about ransomware prevention and security measures, feel free to contact our team.