A recent announcement on ransomware from the federal government has put cyber insurance companies and their policyholders in a bind.
If the targeted business doesn’t pay the ransom, it can’t operate. If it and its insurer do pay the ransom, the government may penalize them both, and the fines could be hefty — as much as $250,000 per violation in “non-egregious” cases, under new U.S. Treasury guidelines.
This news comes as ransomware attacks are increasingly hitting small businesses. A recent study by cybersecurity firm NetDiligence showed that, over the past five years, small and medium-sized businesses have made insurance claims for ransomware attacks at three times the rate of hacking events, with insured ransom payments averaging $247,000 plus $350,000 in recovery costs.
The fallout and what’s happening
An insurance company that wants to operate in good standing may not be willing to risk incurring penalties by paying the ransom as part of their coverage.
The announcement has already caused insurers to reject applicants who have been hit with certain ransomware strains, according to one cyber-security expert.
He said insurers and the Treasury Department communicate frequently to determine the risk that certain payments may violate the law.
The Treasury Department has historically discouraged victims from paying ransoms, saying that ransoms enable criminals and adversaries to “profit and advance their illicit aims.”
Recently, the department went a step further: It will start penalizing anyone who pays or facilitates payment of ransoms to certain individuals, groups and countries. That could include the victimized businesses and their insurance companies.
The department believes that some ransom payments have gone to individuals and entities named on the Specially Designated Nationals and Blocked Persons List. This list, created after the September 11, 2001 terrorist attacks, identifies those suspected of terrorist activity.
Federal law prohibits making or facilitating payments to anyone named on the list or to countries on the terrorist watch list, such as Cuba, North Korea and Iran. Those who make payments to these individuals, entities or countries face civil penalties even if they were unaware that the recipient was on the lists.
The department’s Office of Foreign Assets Control is authorized to fine everyone involved in making an illegal payment, including the insured business and the insurer.
Advice from the Feds
The Treasury Department has urged businesses to take mitigation steps to prevent attacks. Businesses that implement cyber-security practices such as employee training, system monitoring, multi-factor authentication and installing anti-malware protection on their servers are less likely to be victimized.
In addition, the department said it would look more favorably on businesses that have these protections in place and end up having to pay ransoms anyway. Organizations that self-report possible impermissible payments to law enforcement will also be considered as having mitigated the risk.
Ransomware has become a plague for all kinds of organizations. Taking defensive measures is the best way to avoid having to make an insurance claim and accidentally breaking the law.
BGES Group’s office, located in Larchmont, NY is a full service insurance agency offering, Property, Liability, Umbrella Liability, Business Auto, Bid & Performance Bonds, Inland Marine, Worker’s Compensation, New York State Disability, Group Health, Life insurance, Personal lines and Identity Theft.
Special Contractor Insurance Programs (NY, NJ, CT) – We we have 60+ insurance companies to market your general liability, umbrella liability, business auto, workers compensation, bid & performance bonds and group health coverages. We help contractors set up proper risk transfer. If you’re a contractor we offer extensive information about insurance markets, coverages, risk transfer, subcontractor screening, ways to lower your insurance costs.
BGES Group are Worker’s Compensation Specialists for the States of New York, New Jersey and Connecticut – Issues we address: 1) Lowering pricing – we have specialty programs that can save you up to 40%; 2) Finding a new company; 3) Replacing policies that are being cancelled or non renewed; 4) Audit disputes; 5) Company creating fictitious payroll at audit time; 6) Lowering high experience modifications factors; 7) Misclassification of payrolls; 8) Lowering or eliminating renewal deposits; 9) Getting coverage when you’ve been without for a few months; 10) Covering multiple states under one policy; 11) Eliminating 10% service or policy fees; 12) Timely issuance of certificates; 13) Always being able to get someone on the phone or by email when you need to.
Company: BGES Group, 216A Larchmont Acres West, Larchmont, NY 10538
© – Copyright – 2021 – BGES Group