To Pay or Not to Pay: Is That the Question?

We are on the heels of the 20th anniversary of 9/11, and many of us lived the Terrorism Risk Insurance Act debates that followed.

The widely shared expectation at the time was that 9/11 was just the first of what we thought would be a long litany of terrorist events on U.S. soil. But those never materialized, and, to date, not one claim has been paid through the TRIA program.

The recent exponential growth in “ransomware” claims, however, seems to have bucked that trend. There is a spate of more well publicized cases—Colonial Pipeline and CNA?—but as Alejandro Mayorkas, secretary of the U.S. Department of Homeland Security, recently noted, the overall “rate of ransomware attacks increased 300% in 2020” alone, and the payment demands also have increased substantially.

In most cases, however, ransomware attacks will not qualify as “terrorist” events reinsured under the TRIA program, because to be covered TRIA requires the act “to have been committed by an individual or individuals as part of an effort to coerce the civilian population of the United States or to influence the policy or affect the conduct of the United States government by coercion.” Ransomware attacks, instead, are really just modern cyber crime where it’s all about the money, not the coercion.

These events do, however, feel like acts of terrorism. For me, they conjure up memories of hijacked planes and the dilemma they posed—do you pay the terrorists in the hopes of freeing the plane today but embolden the terrorists of tomorrow? Or do you hold the line and potentially sacrifice today in order to better ward off future threats?

And that is exactly the emerging debate between policymakers and (most of) industry. Policymakers—led by the Department of Treasury’s Office of Foreign Assets Control and the New York Department of Financial Services—caution against making any ransomware payments at all, primarily under the “don’t embolden the terrorists” line of thinking. As NYDFS explained in the “Ransomware Guidance” it issued on June 30:

The Department, like the FBI, recommends against paying ransoms. Paying ransoms encourages and funds future ransomware attacks, and may also risk violating OFAC sanctions. Experts have also reported that in many cases even when victims paid, companies have not been able to regain access to all of their data and their data was later leaked anyway. Furthermore, a recent study found that 80% of victim organizations who paid a ransom experienced subsequent attacks.

The American Property Casualty Insurance Association, in contrast, has issued a set of principles that includes the admonition that “insurers must be permitted to provide reimbursement coverage for the policyholder’s payment of ransom for cyber extortion” (as long as such payments do not violate any of the sanction restrictions).

There is broad agreement that better cyber hygiene and broader cyber incident information sharing can help to at least reduce, if not eliminate, ransomware exposure. In fact, according to NYDFS, “The good news is that most ransomware attacks can be prevented” (which may, of course, be at least a bit pollyannish). The NYDFS “Ransomware Guidance” suggests a broad range of new cyber-security protocols for licensees that it intends to incorporate into regulatory requirements this fall (including better training; more limited system access; multifactor authentication for system access; and tested and segregated backups). There is little doubt that most businesses would benefit from conducting a cyber-security risk assessment and implementing such protocols where appropriate.

There also is little doubt that continuing to ramp up cyber-attack incident reporting and information sharing better allows businesses—and those with whom they are working to maintain their cyber-security programs—to better protect themselves from emerging threats.

In thinking about the core policy question that we are now confronting—should we allow the facilitation of those ransomware payments or not—three core factors drive me to the view that a prohibition at this juncture may do more harm than good.

First, our core mission is to protect our clients and help them stay up and running. If a client is a ransomware victim, there may be some benefits for the greater good of holding the line, but it likely will not offset—for them—the acute pain of the harm that is done to their business in the interim.

Second, clients that are insured against cyber attacks are more likely to be better prepared for those attacks, because they get better advice on the risk mitigation side and they directly and immediately reap the benefits of implementing those measures through the reduced premiums they will pay because of the lower risk they will present. A blanket legal ransomware payment prohibition may drive at least some potential clients out of the market and will likely at least undermine the risk mitigation agenda.

Third, if the payments are barred, then insureds (or potential insureds) are less likely to report the incidents if they opt to make the (business-preserving) payments anyway.

It is perhaps for these reasons that even OFAC in its guidance notes that it will “consider a company’s self-initiated, timely, and complete report of a ransomware attack to law enforcement to be a significant mitigating factor” in imposing penalties even if that payment ultimately was made to an individual or entity subject to an OFAC sanctions regime.

Allowing the insurance ecosystem to fully envelop the growing and evolving cyber security and ransomware threats comes with a lot of systemic benefits. I think that imposing any impediments to the growth of that ecosystem—like a blanket legal ransomware payment prohibition—would only be counterproductive at this juncture.