Ransomware threats and attacks dominated the cyber news cycle in 2020 and into 2021. With the global pandemic and the uptick in remote work and learning, cybercriminals and nation-state hackers have seized on vulnerabilities in data security infrastructures to wreak havoc and to make money — in the form of cryptocurrency. Not surprisingly, the need and demand for cyber insurance are simultaneously on the rise, and insurance policies that provide coverage for the payment of ransomware are of increasing interest and demand. But federal and state regulators are simultaneously focused on ransomware and how to combat its crippling effect on business. To that end, regulators have increased their guidance around the payment of ransomware and generally discourage its payment. This creates a conundrum for companies and their carriers — what to do when critical infrastructure is locked up, data is inaccessible and business interruption costs (and claims) are mounting in the face of a ransomware demand that likely has a deadline before the keys are ostensibly tossed and the data lost — to pay or not to pay? In this alert, Kramer Levin’s multidisciplinary insurance, privacy and regulatory team unpacks the most recent regulatory guidance, and particularly how insurance providers should approach ransomware coverage and payment.
DFS Circular Letter
Last week, on Feb. 4, 2021, the New York State Department of Financial Services (DFS) issued new guidance concerning cyber risks (Insurance Circular Letter No. 2 (2021) (the “Circular Letter”)), available here, which property-casualty insurers operating in New York should consider in their underwriting, claims and related practices on cyber risks. Particularly relevant is the guidance on coverage and payment of ransomware demands.
In consultation with industry, cybersecurity experts and others, the DFS created a Cyber Insurance Risk Framework, summarized below, that outlines best practices for managing cyber insurance risk. The Cyber Insurance Risk Framework applies to all authorized property-casualty insurers that write cyber insurance in policies issued in New York. However, DFS cautions that property-casualty insurers that do not write insurance expressly covering cyber risk should still evaluate their exposure to “silent risk” (coverage for cyber events arising out of more-general policy language). In this regard, DFS noted that the 2017 NotPetya incident (a global ransomware-like attack that targeted government infrastructure worldwide, medical facilities, shipping companies and health care providers, to name a few) led to $3 billion in insurance claims, of which $2.7 billion were made under property-casualty policies that did not expressly cover cyber risks.
The Circular Letter recommends against making ransom payments, citing the following reasons:
- Ransom payments “fuel the vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks.”
- A related consequence of paying ransom is that victims can unwittingly become complicit in making payments to sanctioned entities, such as entities identified by the Office of Foreign Assets Control (OFAC). This can lead, by virtue of insurance coverage, to the risk that insurance carriers will then likewise make payments to sanctioned entities.
- Paying a ransom offers no assurance that an organization will regain access to all of its data or that its data will not be publicly exposed.
Of concern to DFS is the moral hazard that arises when a business takes out cyber insurance “as a substitute for improving cybersecurity,” thus “pass[ing] the cost of cyber incidents on to the insurer.” To combat this problem, DFS urges insurers to “effectively measure the risk of their insureds” in the underwriting process. In the next section, we suggest some steps for underwriting these risks that are motivated by this guidance.
Citing attacks such as the recent SolarWinds incident (where a third-party vendor was breached and, through its access to its customers’ information security systems, resulted in its customers suffering varying degrees of unauthorized access and disruption), DFS admonishes insurers to “account for the systemic risk that occurs when a widespread cyber incident damages many insureds at the same time, potentially swamping insurers with massive losses.” According to the DFS guidance, the compromised network in SolarWinds was widely used by critical infrastructure entities, private sector organizations and government agencies, magnifying the damage inflicted. One widely used vendor’s breach resulted in thousands of subsequent and related breaches.
The DFS notes that “each insurer’s cyber insurance risk will vary based [on] many factors,” including the insurer’s size, resources, geographic reach and target insureds and that “each insurer should take an approach that is proportionate to its risk.” To address the insurer’s risk, the Cyber Insurance Risk Framework calls on all property-casualty writers issuing cyber coverage to establish a formal cyber insurance risk strategy at the board and senior management level, incorporating the following six items:
- Manage and eliminate exposure to silent cyber insurance risk by clarifying policy language.
- Evaluate systemic risk associated with cyber exposure, i.e., the likelihood that a single cyber event could affect numerous victims at the same time (this will be part and parcel to the vendor management initiatives described above).
- Rigorously measure insured risk by using a “data-driven, comprehensive plan for assessing the cyber risk of each insured and potential insured.”
- Educate insureds and insurance producers by offering “more comprehensive information about the value of cybersecurity measures and facilitat[ing] the adoption of those measures.” To align incentives, insurers should price policies based on “the effectiveness of each insured’s cybersecurity program.”
- Obtain cybersecurity expertise by hiring knowledgeable personnel and vendors.
- Require victims of cyberattacks to notify law enforcement.
Possible Underwriting Measures
As noted above, the DFS Circular Letter advises New York-licensed insurers to effectively measure their insureds’ risks. Indeed, underwriting methodologies for cyber have become more robust in recent years as cyber risks have intensified. The Circular Letter does not set forth particular underwriting steps; however, in implementing the DFS guidance, a carrier might, among other things, audit an insured’s:
- Data security program, including, for example, whether the insured:
- Conducts regular penetration testing and vulnerability scans
- Has regular patch management (a key issue in the NotPetya attack)
- Has appropriate firewalls, malware prevention and infrastructure in place to protect employee, client, customer and corporate data
- Audits third-party vendors and requires industry standard data security protection over all data transferred, shared or hosted with the vendor
- Allocates appropriate spend, talent and oversight to data security improvements and initiatives.
- Data privacy program, including, for example, whether the insured:
- Has robust internal policies in place concerning business continuity and disaster recovery, incident response, breach notification, acceptable use, vendor management and patch management
- Complies with all applicable domestic and international data privacy regulations and laws, including those that govern data security, data collection, transfer, processing and destruction
- Allocates appropriate spend, talent and oversight to data privacy compliance and initiatives, including implementing privacy by design in new products and tools
- Regularly conducts tabletops or prepares for the event of a security incident or data breach, including a ransomware attack
This is not an exhaustive list of underwriting factors for cyber, and carriers should consult qualified underwriting personnel and processes. This alert is not a substitute for such resources.
As noted in the DFS Circular Letter, part of the concern around ransomware payment is that it may run afoul of OFAC rules and guidance and federal anti-corruption regulations, as well as various sanctions laws and regulations, such as the Trading with the Enemy Act and the International Emergency Economic Powers Act, or IEEPA.
Under these laws, ransom payments, whether directly or indirectly through an intermediary, to foreign terrorist organizations or specially designated global terrorists identified by OFAC, are illegal. Given that most ransom attackers maintain anonymity, it is difficult for ransomware victims to identify whether the attacker is a bad actor. While there is a growing field of companies that research ransomware attackers and purport to provide insight into the attackers, their reliability to unlock data upon receipt of data and their likelihood of striking again, not surprisingly it is difficult to unmask these attackers or know with certainty their location or identities.
OFAC issued a formal advisory about the sanctions risks of facilitating ransomware payments titled “Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments” in October 2020, available here, which discusses potential sanctions risks for those involved in ransomware payments to bad actors. The advisory is also directed at those acting on behalf of ransomware victims, such as “financial institutions, cyber-insurance firms, and companies involved in digital forensics and incident response.” Ransomware payments therefore can be a violation of economic sanctions laws, making ransomware victims — already a victim of a security attack — and related parties subject to fines for violation of sanctions by the OFAC.
Ransomware Attacks Continue Their Meteoric Rise
The DFS and OFAC guidance — and restrictions with potential fines — on paying ransomware presents a difficult paradox for carriers because, by all accounts, ransomware attacks will continue to rise exponentially. Cybersecurity firm Bitdefender calculated a 715% increase in detected ransomware attacks from 2019 to 2020. Security vendor Check Point reported a 50% increase in the daily average of global ransomware attacks in Q3 2020 alone, including a 98% increase in the United States during that quarter. According to Microsoft, there were between 20,000 and 30,000 ransomware attacks per day in the United States in mid-2020. A ransomware attack is projected to occur every 11 seconds in 2021.
This exponential increase has been fueled in part by the global pandemic, as remote work presents greater opportunities for malware intrusion. Microsoft recorded an eleven-fold spike in ransomware attacks the week after the World Health Organization declared COVID-19 a global pandemic.
This rise may also be related to the fact that more and more organizations are willing to pay their attackers in order to recover sensitive data or prevent its exposure. Thirty-nine percent of victim organizations paid to de-encrypt their ransomed data in 2017, which rose to 45% in 2018 and 58% in 2019, according to CyberEdge.
The Cost of Ransomware Also Continues to Rise
The year 2020 saw the first known loss of human life directly attributed to a ransomware attack. A hospital in Dusseldorf was forced to divert an emergency patient after ransomware disabled its systems, and the patient died en route to a hospital in a neighboring town.
One cybersecurity service estimated monetary damage from ransomware rose from $8 billion in 2018 to $20 billion in 2020, worldwide. Although estimates vary widely due to underreporting, the average ransomware payment increased 33% from Q4 2019 to 2020, and one researcher put the total cost of ransomware to U.S. companies in 2019 at $7.5 billion. IBM estimates the average total cost of a ransomware attack for a single company at $4.44 million.
The cost of a single attack on a large company can be much higher. For example, in May 2020, IT services provider Cognizant said it expects to lose between $50 and $70 million as a result of a ransomware attack. In 2018, the WannaCry ransomware attack cost the National Health Service in the U.K. over $100 million.
Organizations May Insure Against Ransomware Loss
Despite recent DFS guidelines discouraging ransomware payments, companies may wish to insure against such losses that many view as inevitable, increasing the product’s demand. In a recent survey, 69% of IT professionals said they believe a successful attack will affect their organization within the coming year.
To counter this threat, “cyber-extortion” coverage has historically been an option under many broader cyber liability policies. A cyber-extortion option will often cover (1) ransom monies paid, (2) costs incurred hiring lawyers and security experts to respond, and (3) the repair costs of investigating a breach, patching the vulnerability and attempting to recover encrypted data. Many insurers also offer standing Cyber Insurance Incident Response Teams or preferred vendor lists — comprised of specialists and vendors that can help an organization respond quickly to an attack.
In 2020, 51% of organizations with cyber liability policies used claims to cover the cost of third-party consulting and legal services for broader cyberattacks. But reportedly only 10% of organizations with cyber insurance used claims to cover the cost of ransomware or extortion.
Insurers should stay abreast of regulatory guidance concerning ransomware. When writing cyber policies, whether ransomware is covered and in what forms and to what entities should be expressly addressed. Given the OFAC risks, insurers should consider whether to exclude payment of ransom in the event the attacker is a known or likely actor for whom OFAC sanctions restrict payment. DFS’ guidance that insurers should better understand their insureds risks, including how their data security and privacy programs increase or diminish those risks, should not be ignored. Ransomware attacks are not going away any time soon, and insurers — just like those they insure — need to have a focused and strategic plan for addressing this rising threat to global data.