Many of us have read about the Solar Winds Orion enterprise network attack. It may well be months, if not years, before the full damage to the Department of Homeland Security, State Department, Office of the President, and Fortune 500 companies can be fully assessed.
Accordingly, New York State’s Department of Financial Services (DFS) warns that the failure of any business or organization to develop a “rigorous and data driven approach to cyber risk” could result in both serious and unforeseen consequences. This is true both for insurers as well as corporations and organizations.
As to insurers, DFS warns that they must take great care in underwriting these risks, as many insureds use insurance as a cost-effective substitute for improving cybersecurity. As such, the insurer runs the risk of actually increasing cyber risk, as the insured will not upgrade their defenses, but simply seek to pass any losses on to the insurer. Unnecessary coverage disputes can also arise from policies that do not specifically rule cyber risk coverage in—or out. Specifically, Errors and Omissions, General Liability, and even Product Liability policies have been drawn into the dispute as to whether an insured has cyber risk protection.
Yet the concerns do not end there. According to the 2019 FBI Internet Crime Report, there was a 37% annual increase in ransomware attacks, which directly caused a 147% increase in associated losses. This raises the question as to who should be responsible for paying the ransom, insurer or insured. Surprisingly, the answer may be neither, because the payment may be prohibited by the U.S. Treasury’s Office of Foreign Assets Control (OFAC).
The Treasury Department has taken the position that ransom payments on behalf of any victim, including financial institutions, cyber insurance firms, and companies performing digital forensics and incident responses, not only encourage future attacks, but also may violate OFAC regulations, resulting in significant sanctions.
Because a victimized entity may never know if the attack was precipitated by anyone on the Specially Designated Nationals and Blocked Persons (SDN) List, the best course of action is to make no payments without consultation with, and clearance from, OFAC and the Financial Crimes Enforcement Network (FinCEN). Applications for license to make payments are reviewed on a case-by-case basis, “with a presumption of denial.”
Essentially, protection of an organization can be distilled to three basic elements.
- First, make sure that your data has all available cyber protection software. It would be prudent to engage professional cyber risk experts to perform testing, to ensure the adequacy of your defenses.
- As to insurers, make sure that your underwriting department fully understands the anticipated risks associated with insuring an entity, with specific policy language and recommendations, to both minimize risks and clarify exposure.
- Finally, should an attack occur, make sure that all involved decision makers take no action until the proper authorities are contacted.
While your organization may regard the risk of attack as slight, given the increased incidence of attacks, the rise in associated losses, and the order of magnitude of damage, it is long past time to address this existential risk to your organization.
—————————————————————————————————————
James Denlea, Esq., is a founding partner of Denlea & Carton LLP. For more than forty years, he has represented the interests of individuals and corporations, both as plaintiffs and defendants. He began his legal career as a Westchester County Assistant District Attorney. Throughout his career, he has maintained an interest in protecting clients from both known and unforeseeable risks, especially as those risks have multiplied in the digital age. James has been a lecturer on risk management topics in the field of law, medicine, and accounting.
