Is it illegal for insurance brokers to pay ransom?

What cyber insurance clients need to know

According to reports by Threatpost, there was a 151% increase in ransom demands last year. The complexity and frequency of such attacks are increasing year on year. Ransomware has started using variated and escalating extortion techniques. The average payment has reached $570,000. However, the question remains, Is it illegal to pay the ransom?

It is a valid and essential question. Why pay to reward malicious activities of ransomware criminals and reward them for their actions? These criminals usually know what their targets can afford and customize their demands to what the target can pay.

You may be thinking that unlocking your data or avoiding a data breach by paying up is a good idea. After all, it helps avoid embarrassment, exposure and business interruption. However, the question remains, is it legal to pay a ransom? In specific cases, it may be illegal to pay ransoms.
This blog will explain why paying ransoms isn't legal and how you can protect yourself by choosing the right Cyber Insurance.
Succumbing to ransom demands threatens National Security.

Lawyer Legal counsel presents to the client a signed contract with gavel and legal law. justice and lawyer Business partnership meeting

Succumbing to ransom demands threatens National Security.

But things are changing. In October 2020, the Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an advisory highlighting that paying ransomware demands risks violating OFAC regulations.

OFAC cautioned that paying ransom demands may impose civil penalties for sanctions violations based on strict liability. The reality is that if you are subject to U.S. law and make a ransomware payment to an entity that is under U.S. sanctions, you can be held civilly liable.

Instead, the advisory stresses the cyber attack victims' responsibility to report attacks to relevant law enforcement agencies. This should be done as soon as possible. Victims need to cooperate with law enforcement agencies. Victims can and should report the attack to:

Specifically speaking, the targets of cyber ransom demands should report the incident to the Treasury's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP) and the OFAC.
The relevant law enforcement agencies will also look into an organization's efforts towards updating and improving cybersecurity with measures that include:

  • Maintaining offline data backups
  • Incident response plans
  • Cybersecurity training
  • Regular antivirus and anti-malware updates
  • Authentication protocol deployment

The dangers of ransomware are real

Let's forget the legalities of paying ransomware demands for a bit and think strategically. The fact is that eight out of 10 organizations that pay ransomware demands are hit by a second attack. Taking the easy way out isn't always the smartest move.

The other startling fact is that most businesses believe ransomware and cyberattacks happen to prominent multinational corporations or high-profile companies. This is far from the truth. Small and medium-sized businesses (SMB) usually suffer 50-70% of ransom attacks. And most often than not, 60% of small business fail within six months of the incident.
This is one of the most important reasons why your clients need Cyber Insurance.

Businessman logging in to his tablet
Close-up of hands of boss at workplace with laptop and hands of two females near by

Your clients need insurance

It can help them manage the risks and cover the costs of operating a business in today's digital
ransomware riddled market. A robust policy can also give them access to top-notch law firms.
This is something that is otherwise not available to a small business. They are experts at dealing with data breaches and similar attacks. Such firms can advise clients on the legalities of a given ransomware situation. They also work with regulators to make things smoother.

Cyber Insurance without ransomware demand coverage?

While it may seem like the easy way out, encouraging such malicious activity by paying such
demands is best avoided. The better way forward is the spruce up security and make mitigating actions as part of the cyber risk and cyber security management strategy. This is more likely to bring change rather than succumbing to cyber extortion, network disruption or a cyber attack.

Enterprises need to get Insurance from ransomware attacks
Cyber insurance policies can offer other coverages when there is a ransom demand which is not
being paid. They are:

  • Coverage for data loss and restoration
  • Network interruption outages and costs
  • Business income loss
  • Reputational harm

Costs associated with notifying individuals of data breaches Real change will happen when everyone involved in your supply-chain and vendor ecology evolves to take cyber risk seriously. The looming threat of ransomware isn't something taken lightly. Cyber Insurance policies can be the moat that prevents small businesses from sinking. Consider the incident that involved SolarWinds or Kaseya. It can happen to anyone at any time. This is what makes robust cyber insurance mandatory.

Why you need policy checking

With so much complexity and regulatory change, it isn't easy to keep up. This is especially true as a small business. A typical cyber insurance policy is highly technical with its own vocabulary. Going line by line or page by page isn't practical. Cyber insurance policies can be hundreds of pages long. Manually checking them for errors and omissions, along with other aspects, is tedious and error-prone.

Automated insurance policy checking is the future
At Exdion, we automate Cyber insurance policy checking end to end. Using a combination of Natural language processing, Machine learning and Artificial intelligence, Exdion Policy Check automates most of the tedium and toil for your Policy checkers. Get in touch with us to learn more about Exdion Policy Check.

Scroll to Top