With the dramatic uptick in ransomware attacks over the past twelve months, there has been much discussion about whether or not to criminalize the payment of ransomware demands. In fact, in October, the Office of Foreign Assets Control (OFAC) issued an advisory on the sanction risks of paying ransoms and a FINCEN Advisory on reporting ransomware red flag indicators. The NY DFS issued similar guidance.
The OFAC guidance was intended to set parameters for organizations intending to make ransomware payments. Some specifics from the guidance indicated the following: reporting to the FBI may be a mitigating factor; applications for licenses will presumptively be denied but reviewed on a case-by-case basis; financial institutions (including cyber insurers and IR providers) will need to have an OFAC risk-based compliance program in place; and for entities that are not using a third-party to facilitate a ransomware payment, they must perform the OFAC check themselves before making the payment.
Some have mistakenly understood the alert to mean that companies cannot make ransom payments under any circumstances, or that companies must inform the FBI before/after making the payment. Neither is true. A ransom payment can be made if an OFAC check is performed and the recipients (and their associated information — e.g., bitcoin wallet address, threat actor organization) are “clear.” Notice to the FBI of the incident is not required, but if an entity makes a payment to a third party who is on the SDN list (which would violate the law unless an exception was obtained) then informing the FBI of the incident/payment is considered a mitigating factor in whether to assess a penalty and the amount of the penalty.
Similarly, earlier this month, the NYDFS issued guidance in the form of a Cyber Insurance Risk Framework encapsulating some key best practices for all authorized property and casualty insurers that write cyber insurance. The Circular Letter was issued as a result of the SolarWinds attack, COVID-19 and the huge uptick in ransomware claims (by their estimates, 180% increase in claims from 2018 to late 2019 and the average cost increase of 150%).
Specifically regarding ransomware, DFS recommends against making ransom payments. The letter clarifies, “Ransom payments fuel the vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks.” Again, as with the FBI, NY DFS is not saying ransomware payments cannot be made, rather that they recommend against it.
In short, “each insurer should take an approach that is proportionate to its risk.” In order to manage their risk, the DFS suggests the following certain best practices:
- Establish a formal cyber insurance risk strategy
- Manage and eliminate exposure to silent cyber insurance risk
- Evaluate systemic risk
- Rigorously measure insured risk
- Educate insureds and insurance producers
- Obtain cybersecurity expertise
- Require notice to law enforcement
It is important to note that to date, there have been no civil penalties levied against insurers or response firms for paying or facilitating the payment of the ransom. However, it is believed that the ransomware problem is being made worse by victims paying ransoms to their threat actors by using their insurance to pay.
Often times, however, the decision of whether to pay or not is not simply a function of funding terrorism or bad behavior but a business decision. Every hour that a company is being extorted can equate to substantial lost revenue. Even excellent backups are not always a solution to avoid paying the ransom since many times the hackers will encrypt the backups as well.
Given the current threat environment, companies must do everything they can to be best prepared for a ransomware attack. While there is no guaranteed solution, some basic best practices that can help decrease ransomware exposures include simply having better security controls. Beyond that, the use of multifactor authentication has become critical as well as recoverable system and data backups, to make sure that remote desktop protocol ports and services are not vulnerable to the internet. Companies should also maintain updated software patches for VPNs and any other devices that provide access to corporate networks. Lastly, consistent privacy awareness training and social engineering controls must be employed.
At NFP, we understand the inherent complexities faced by organizations in the cybersecurity space. Find an NFP Professional today and learn how you can benefit from NFP’s cyber and technology leadership.