By: James R. Denlea
Many of us have read about the Solar Winds Orion enterprise network attack. It may well be months, if not years, before the damage assessment to the Department of Homeland Security; State Department; Office of the President; and Fortune 500 companies, can be fully completed.
Accordingly, New York State’s Department of Financial Services (“DFS”) has issued a warning, that the failure of any business or organization to develop a “rigorous and data driven approach to cyber risk,” could result in both serious and unforeseen consequences. This is true both for insurers as well as corporations and organizations.
As to insurers, DFS warns that they must take great care in underwriting these risks, as many insureds use insurance as a cost effective substitute for improving cybersecurity. As such, the insurer runs the risk of actually increasing cyber risk, as the insured will not upgrade their defenses, but simply seek to pass any losses on to the insurer. Unnecessary coverage disputes can also arise from policies that do not specifically rule cyber risk coverage, in or out, of the specific policy at issue. As a result, Errors and Omissions, General Liability, and even Product Liability policies have been drawn into the dispute as to whether an insured has cyber risk protection.
Yet the concerns do not end there. According to the most recent FBI Internet Crime Reports, there was a 37% annual increase in ransomware attacks, which directly caused a 147% increase in associated losses. This raises the question as to who should be responsible for paying the ransom, the insurer or insured. Surprisingly, the answer may be neither, because the payment may be prohibited by the U.S. Treasury’s Office of Foreign Assets Control (“OFAC”).
The Treasury Department has taken the position that ransom payments on behalf of any victim, including financial institutions, cyber insurance firms, and companies performing digital forensics and incident responses, not only encourage future attacks, but may very well violate OFAC regulations, resulting in significant sanctions.
Because a victimized entity may never know if the attack was precipitated by anyone on the Specially Designated Nationals and Blocked Persons List (“SDN list”), the best course of action is to make no payments, without consultation with and clearance from, OFAC and the Financial Crimes Enforcement Network (“FinCEN”). Applications for license to make payments are reviewed on a case-by-case basis, “with a presumption of denial.”
Essentially, protection of an organization can be distilled to three basic elements. First, make sure that your data has all available cyber protection software. It would be prudent to engage professional cyber risk experts to perform testing, to ensure the adequacy of your defenses. Second, to insurers, make sure that your underwriting department fully understands the anticipated risks associated with insuring an entity, with specific policy language and recommendations, to both minimize risks and clarify exposure. Third, should an attack occur, make sure that all involved decision makers take no action, until the proper authorities are contacted. While your organization may regard the risk of attack as slight, given the increased incidence of attacks, the rise in associated losses, and the order of magnitude of damage, it is long past time to address this existential risk to your organization.
For much of the past decade, Jeff has been recognized annually by his peers as a New York “Super Lawyer”
Bob is an experienced class action lawyer, who has achieved hundreds of millions of dollars in recoveries for aggrieved
Lindsey Leibowitz, Of Counsel, is an experienced Intellectual Property lawyer specializing in trademark and copyright
Amber Wallace is an experienced complex commercial litigator and a perennial Super Lawyers “Rising Star.
For over two decades, John has been litigating cases in Federal, state and municipal courts throughout New York and
Joe Licare is an experienced commercial litigator, equally adept at representing plaintiffs and defendants.
Craig Cepler is an experienced litigator who has handled all types of cases for clients, including commercial