In just one year, ransomware attacks reported to the New York
State Department of Financial Services ("DFS") have
almost doubled. In these incidents, a cyber-attacker installs
malware that encrypts a victim's computer systems or files and
then demands a fee, or ransom, to unlock the encrypted data.
Fortunately, cyber insurance that expressly covers the risk of
ransomware has been widely available in recent years. These
policies will pay for some or all of the ransom demand in the event
of a ransomware attack, allowing the policyholder to regain control
over its files and systems and resume operations. While
paying a ransom is unappealing to most, it is typically far less
expensive than the cost of replacing or restoring
permanently-locked files and equipment, along with associated
Regulators have long scrutinized the perverse incentives of ransomware payments, however, and their tendency to encourage more ransomware attacks. On February 4, 2021, the DFS issued guidance, the Cyber Insurance Risk Framework, outlining the best practices for New York-regulated casualty and property insurers that underwrite cyber insurance. Notably, the DFS recommends that insurers not make ransomware payments. The DFS cited Office of Foreign Assets Control of the U.S. Department of the Treasury guidance that insurers can be held liable for making ransom payments to sanctioned entities.
The Risk Framework is nonbinding, but its recommendation that insurers not make ransom payments could put pressure on insurers to stop issuing cyber insurance policies with ransomware coverage. Although this may advance DFS' policy goal of reducing incentives to commit ransomware attacks, there is no question that, in the short run, it would make ransomware attacks far more costly for policyholders, who would have to either pay the ransom out of pocket or shoulder the cost of restoring their encrypted computer systems.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.