In just one year, ransomware attacks reported to the New York
State Department of Financial Services ("DFS") have
almost doubled. In these incidents, a cyber-attacker installs
malware that encrypts a victim's computer systems or files and
then demands a fee, or ransom, to unlock the encrypted data.
Fortunately, cyber insurance that expressly covers the risk of
ransomware has been widely available in recent years. These
policies will pay for some or all of the ransom demand in the event
of a ransomware attack, allowing the policyholder to regain control
over its files and systems and resume operations. While
paying a ransom is unappealing to most, it is typically far less
expensive than the cost of replacing or restoring
permanently-locked files and equipment, along with associated
downtime.
Regulators have long scrutinized the perverse incentives of
ransomware payments, however, and their tendency to encourage more
ransomware attacks. On February 4, 2021, the DFS issued
guidance, the Cyber Insurance Risk Framework, outlining the
best practices for New York-regulated casualty and property
insurers that underwrite cyber insurance. Notably, the DFS
recommends that insurers not make ransomware payments. The
DFS cited
Office of Foreign Assets Control of the U.S. Department of
the Treasury guidance that insurers can be held liable for making
ransom payments to sanctioned entities.
The Risk Framework is nonbinding, but its recommendation that
insurers not make ransom payments could put pressure on insurers to
stop issuing cyber insurance policies with ransomware
coverage. Although this may advance DFS' policy goal of
reducing incentives to commit ransomware attacks, there is no
question that, in the short run, it would make ransomware attacks
far more costly for policyholders, who would have to either pay the
ransom out of pocket or shoulder the cost of restoring their
encrypted computer systems.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.