Cyber Alert: OFAC Ransomware Guidance

On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) released advisories addressing financial crime-related risks associated with ransomware and ransomware payments.

While cyber extortion, ransom payments, and OFAC violations are nothing new, the advisories come at a time when ransomware losses are at an all-time high. The McGriff claims team has seen cyber claims rise year over year by 143%. More evidence:

• Ransomware attacks increased by 47% from Q1 to Q2 in 2020[disc]
• Ransomware attacks have increased 715% year-over-year[disc]
• Ransomware demands have increased year-over-year—including $40 million demands and higher[disc]

Especially when you consider the reality of remote work prompted by the pandemic, it’s clear that ransomware is an increasing threat to businesses and an opportunity for bad actors. 

While the OFAC advisory may not drastically change the decision on whether or not to pay a ransom demand, it does raise awareness around the diligence process, incident response plans, and insurance considerations that are critical to ensuring a payment is not made to a person or organization on the Specially Designated Nationals and Blocked Persons List (SDN). OFAC may take into account the adequacy of a company’s OFAC compliance protocols when determining the severity of a fine or penalty for payment to a prohibited person—and also may not have the flexibility to make exceptions on payments to sanctioned organizations, even if doing so is critical to the survival of the business.

Proactive measures to address OFAC compliance in a ransomware incident

• Vendors retained to negotiate with ransomware bad actors should coordinate with forensic investigators and legal counsel. Forensics investigators may have line of sight to the strain of ransomware and its ties to OFAC-prohibited parties. Outside counsel can assist in thoroughly documenting the due diligence process.
• The Company’s Incident Response Plan (IRP) should include prudent steps regarding review of OFAC’s prohibited persons list when confronting threat actors, and before any ransom payment is considered or paid. The IRP should also include communications with law enforcement (FBI, etc.) and acknowledge OFAC penalties and prohibitions on payments to sanctioned persons or entities.
• Companies should rely on experienced outside counsel to guide them in preemptively notifying law enforcement of a connection to an OFAC-prohibited person or entity. Consultation with law enforcement can better inform any ransom payment decision and should be part of due diligence documentation.

The OFAC advisory does not address cyber insurance policy coverage, but consider the following for a more positive outcome following a ransomware attack:

• Cyber insurance policies (as endorsed on other policies as well) contain restrictions/exclusions on payments made to OFAC-sanctioned organizations or persons. This is a legal issue whereby insurers, similar to the companies affected by the ransomware, are legally prohibited from making a ransom payment to any party on the SDN list.
• Coverage for other expenses associated with the ransomware incident may still be covered by the policy. While the payment of the ransom demand might be illegal in some cases, the resulting financial impact (business income loss, digital asset recovery, hardware replacement, etc.) could still be covered by the cyber policy.
• Cyber insurers often provide policyholders with a list of approved vendors who have the requisite skill set to determine the veracity of the ransom threat, handle negotiations over secured channels, and coordinate payment in cryptocurrency, when warranted.
• Notification and coordination with your insurance broker and carrier are critical to a positive claims outcome. Understanding the terms and conditions of the cyber policy will help minimize potential friction during the claims process, especially with respect to ransom payments and coverage eligibility. Alert your brokerage claims manager immediately upon discovery of a ransomware threat.

What’s ahead in the cyber insurance marketplace

The increase of ransomware, cyber extortions, and resulting losses has had a hardening effect on the cyber insurance marketplace. While increased scrutiny around ransom payments and perhaps a more aggressive expansion of the OFAC-prohibited persons/entities list could lead to fewer ransomware events in the future, the restrictions on ransom payments to prohibited persons is likely to lead to larger insurer losses in the short term.

As the cyber marketplace continues to harden, policyholders should be prepared for premium increases on renewal terms and increased scrutiny in the underwriting process. This is especially true for the viability of data backups, network segmentation, remote access protections, phishing awareness campaigns, privileged access management, business continuity and disaster recovery, multifactor authentication, and other security controls. Some carriers are already signaling that they plan to limit their ransomware exposure and are considering sublimits, coinsurance, and longer waiting periods. We must emphasize that the best plan of action is to do everything possible to reduce both the likelihood and severity of a ransomware event. Loss prevention, even when expensive and inconvenient, is worthwhile.

Learn more

To learn more about McGriff’s cyber coverage options, please contact:

Suzanne Gladle
Executive Risk Advisors
Senior Vice President, Cyber Practice Leader
404-497-7515
sgladle@mcgriff.com

To learn more about McGriff Executive Risk Advisors, please contact:

David Sellars
Executive Risk Advisors
Executive Vice President, Co-Division Leader
404-497-7582
dsellars@mcgriff.com  

Dusty Cahill
Executive Risk Advisors
Executive Vice President, Co-Division Leader
404-497-7537
dcahill@mcgriff.com