(Article from Insurance Law Alert, October 2020)
For more information, please visit the Insurance Law Alert Resource Center.
On October 1, 2020, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) and Financial Crimes Enforcement Network (“FinCEN”) concurrently issued formal advisories warning cyber insurance firms and others of the regulatory risks relating to ransomware payments. Ransomware is a form of malware designed to extort ransom payments from victims by encrypting data or programs on their information technology systems and demanding payment in return for the decryption key. Over the last few years, ransomware has become increasingly sophisticated, targeting major corporations and demanding virtual currency payments such as bitcoin in amounts that are equivalent to millions of U.S. dollars.
These attacks are perpetrated by a number of global bad actors, including certain persons and entities that have been designated on OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List pursuant to cyber-related sanctions implemented by the U.S. government. Cybercriminals designated as SDNs include the criminal organization appropriately named Evil Corp and many of its constituents. OFAC’s advisory reiterates and reinforces informal guidance that it has offered to the cybersecurity industry recently, cautioning that, absent a license, it is a violation of law for a U.S. person or entity to pay or facilitate a ransomware payment to a party designated by OFAC on the SDN List. Under some circumstances, even non-U.S. persons may be penalized by OFAC for their involvement in ransomware payments. OFAC’s guidance explains that it may impose penalties for sanctions violations based on strict liability, meaning that penalties may be imposed on parties even if they did not know or have reason to know that they were engaging in or facilitating a transaction involving an SDN. For that reason, OFAC is encouraging victims of ransomware attacks, as well as those involved in providing cyber insurance, digital forensics and incident response, and ransom payment processors, to implement risk-based compliance and diligence procedures to ensure that ransom payments are not directed to SDNs and other sanctioned parties. Ransomware victims and related parties are also encouraged to report ransomware attacks to law enforcement during the event or immediately thereafter.
Relatedly, FinCEN’s advisory explains of the regulatory risks for entities that process ransomware payments. Ordinarily, payments are effected through a multi-step process involving at least one depository institution and one or more money services businesses (“MSBs”). The ransomware victim’s fiat currency is typically transferred to a virtual currency exchange, converted to a particular virtual currency specified in the ransom note, and then transferred to the perpetrator’s virtual currency wallet. The perpetrator will then launder these funds through a variety of means and often through foreign-located exchanges in jurisdictions with weak anti-money laundering controls. Cyber insurance providers should take note of three points raised in the advisory. First, entities involved in making ransomware payments should reevaluate whether they are required to register as an MSB with FinCEN and comply with applicable anti-money laundering provisions of the Bank Secrecy Act. This may include, for example, ransomware negotiators that are responsible for transferring ransom funds. Second, FinCEN offers in the advisory ten “red flags” for financial institutions—including the victim’s depository institution from which funds are originally drawn—to identify, prevent, and report ransomware and associated payments. To that end, we expect there to be an increased focus in the financial industry on these types of issues. Third, FinCEN reminds financial institutions of their obligations to file Suspicious Activity Reports for certain suspicious transactions. While insurance companies are not required to file such reports except in specific limited circumstances, there may be instances where doing so may be prudent or required by certain parties involved in the ransomware payment.
These advisories should serve as a bellwether for the cyber insurance industry, demonstrating that relevant regulatory agencies are becoming increasingly focused on ransomware payments as a hot button issue that may usher in an era of increased enforcement in this space. Insurance companies offering cyber insurance products that reimburse insureds for ransomware payments should take heed of these warnings and the shifting regulatory landscape, and consider whether they are taking adequate steps to mitigate the regulatory risks described in both advisories. While consideration of the reasonableness and sufficiency of any such efforts is highly contextual and fact-specific, these advisories reinforce the need to ensure that insurance companies have appropriately considered the risks of making those payments, and the processes by which those payments are made.