CYBER RISK PREVENTION-A CAUTIONARY TALE
By: James R. Denlea
Many of us have read about the Solar Winds Orion enterprise network attack. It may well be months, if not years, before the damage assessment to the Department of Homeland Security; State Department; Office of the President; and Fortune 500 companies, can be fully completed.
Accordingly, New York State’s Department of Financial Services (“DFS”) has issued a warning, that the failure of any business or organization to develop a “rigorous and data driven approach to cyber risk,” could result in both serious and unforeseen consequences. This is true both for insurers as well as corporations and organizations.
As to insurers, DFS warns that they must take great care in underwriting these risks, as many insureds use insurance as a cost effective substitute for improving cybersecurity. As such, the insurer runs the risk of actually increasing cyber risk, as the insured will not upgrade their defenses, but simply seek to pass any losses on to the insurer. Unnecessary coverage disputes can also arise from policies that do not specifically rule cyber risk coverage, in or out, of the specific policy at issue. As a result, Errors and Omissions, General Liability, and even Product Liability policies have been drawn into the dispute as to whether an insured has cyber risk protection.
Yet the concerns do not end there. According to the most recent FBI Internet Crime Reports, there was a 37% annual increase in ransomware attacks, which directly caused a 147% increase in associated losses. This raises the question as to who should be responsible for paying the ransom, the insurer or insured. Surprisingly, the answer may be neither, because the payment may be prohibited by the U.S. Treasury’s Office of Foreign Assets Control (“OFAC”).
The Treasury Department has taken the position that ransom payments on behalf of any victim, including financial institutions, cyber insurance firms, and companies performing digital forensics and incident responses, not only encourage future attacks, but may very well violate OFAC regulations, resulting in significant sanctions.
Because a victimized entity may never know if the attack was precipitated by anyone on the Specially Designated Nationals and Blocked Persons List (“SDN list”), the best course of action is to make no payments, without consultation with and clearance from, OFAC and the Financial Crimes Enforcement Network (“FinCEN”). Applications for license to make payments are reviewed on a case-by-case basis, “with a presumption of denial.”
Essentially, protection of an organization can be distilled to three basic elements. First, make sure that your data has all available cyber protection software. It would be prudent to engage professional cyber risk experts to perform testing, to ensure the adequacy of your defenses. Second, to insurers, make sure that your underwriting department fully understands the anticipated risks associated with insuring an entity, with specific policy language and recommendations, to both minimize risks and clarify exposure. Third, should an attack occur, make sure that all involved decision makers take no action, until the proper authorities are contacted. While your organization may regard the risk of attack as slight, given the increased incidence of attacks, the rise in associated losses, and the order of magnitude of damage, it is long past time to address this existential risk to your organization.