A recent announcement on ransomware from the federal government has put cyber insurance companies and their policyholders in a bind.
If the targeted business doesn’t pay the ransom, it can’t operate. If it and its insurer do pay the ransom, the government may penalize them both, and the fines could be hefty — as much as $250,000 per violation in “non-egregious” cases, under new U.S. Treasury guidelines.
This news comes as ransomware attacks are increasingly hitting small businesses. A recent study by cybersecurity firm NetDiligence showed that, over the past five years, small and medium-sized businesses have made insurance claims for ransomware attacks at three times the rate of hacking events, with insured ransom payments averaging $247,000 plus $350,000 in recovery costs.
The fallout and what’s happening
An insurance company that wants to operate in good standing may not be willing to risk incurring penalties by paying the ransom as part of their coverage.
The announcement has already caused insurers to reject applicants who have been hit with certain ransomware strains, according to one cyber-security expert.
He said insurers and the Treasury Department communicate frequently to determine the risk that certain payments may violate the law.
The Treasury Department has historically discouraged victims from paying ransoms, saying that ransoms enable criminals and adversaries to “profit and advance their illicit aims.”
Recently, the department went a step further: It will start penalizing anyone who pays or facilitates payment of ransoms to certain individuals, groups and countries. That could include the victimized businesses and their insurance companies.
The department believes that some ransom payments have gone to individuals and entities named on the Specially Designated Nationals and Blocked Persons List. This list, created after the September 11, 2001 terrorist attacks, identifies those suspected of terrorist activity.
Federal law prohibits making or facilitating payments to anyone named on the list or to countries on the terrorist watch list, such as Cuba, North Korea and Iran. Those who make payments to these individuals, entities or countries face civil penalties even if they were unaware that the recipient was on the lists.
The department’s Office of Foreign Assets Control is authorized to fine everyone involved in making an illegal payment, including the insured business and the insurer.
Mitigation Advice from the Feds
The Treasury Department has urged businesses to take mitigation steps to prevent attacks. Businesses that implement cyber-security practices such as:
- employee training
- system monitoring
- multi-factor authentication
- installing anti-malware protection on their servers
In addition, the department said it would look more favorably on businesses that have these protections in place and end up having to pay ransoms anyway. Organizations that self-report possible impermissible payments to law enforcement will also be considered as having mitigated the risk.
Ransomware has become a plague for all kinds of organizations. Taking defensive measures is the best way to avoid having to make an insurance claim and accidentally breaking the law.
VMA now offers our printer and creative agency small business owner members access to cyber risk insurance for as low as $400 for $250K in coverage. Contact shannon@visualmediaalliance.org or 415-710-0568 and get protected.