OFAC Sanctions and Ransomware Payments: A World of Issues
Insurance 2022 - the year ahead
2022 will see ever-increasing scrutiny on board decisions in respect of cyber systems and controls with a particular focus on payments to ransomware attackers.
Regulators in the UK, and elsewhere, have for several years now made it clear that they consider issues of cyber security and systems and controls to be of board-level significance.
During the Covid-19 pandemic, ransomware attacks in the UK doubled, rising to record levels according to UK spy agency GCHQ, and have continued to rise by up to 36% in some regions during the first six months of 2021.
In 2020, average ransom payments in North America and Europe increased by 171% and now stand at approximately US$310,000. Within the UK and EU, fines under GDPR (and the DPA 2018) have significantly increased, with the current record a whopping €746 million levied against Amazon.
As rising costs and frequency of claims put directors and officers increasingly in the spotlight over whether they complied with their duties in ensuring the company had adequate systems and controls in place, there will be particular concern over ransomware payments. Such scrutiny will be particularly acute for the leaders of multinationals given the different approaches of regulators both to the payment of a ransom and to the use of insurance.
In the past year, more regulators have moved to recommend that ransoms are not paid and in the US, OFAC issued an advisory note in September 2021 that whilst not prohibiting the payment of ransoms, moves the line much closer to prohibition.
2022 is unlikely to see authorities ban ransomware payments outright, but the mood music is certainly darkening. As a result, we are likely to see a fragmented response from the insurance industry with risk appetite varying not just by carrier, but by carrier and jurisdiction depending on which jurisdictions and which insureds they are writing.