Some legislators, however, are calling for an outright ban on ransomware payments, which has sparked concern from federal law enforcement officials who fear a ban would result in the further victimization of these businesses. Bryan Vorndran, assistant director of the Federal Bureau of Investigation’s Cyber Division, told a congressional committee that such a ban would incentivize cybercriminals to further extort targets who pay ransom by threatening to report them to authorities. According to Vorndran, by making “the paying of ransoms illegal, you’re creating a third extortion, which means that if a company chooses to pay and they have now broken the law, then a cyber-adversary has the ability to hold them accountable in the public’s eye and threaten them even more with a higher extortion.”
This debate is taking place against the backdrop of evidence that the percentage of companies making ransom payments is actually going down. As recently reported by Corvus, a leading Managing General Agent underwriting cyber coverage, only 22% of its insureds experiencing an attack are making ransom payments, down from a previous high of 50%. Corvus attributed the drop to underwriters requiring stronger backups and greater resiliency on the part of their insureds as a condition of coverage.
Payment of the ransom by a targeted business should be considered a last resort. Cyber insurance can connect policyholders with a threat consultant who can help minimize a company’s financial losses and reputational harm.
As a result of the breach, the retailer faced claims from the banks issuing the payment cards for the costs they sustained replacing those cards. Upon settlement of these claims, the retailer sought coverage under its general liability policy, but the insurer maintained that the policy had not been triggered. Although the court initially found the retailer could not demonstrate “loss of use” of tangible property, as required by the policy, the retailer requested reconsideration, citing a prior case from a federal appeals court in which the inoperability of payment cards was found to constitute such loss of use. The trial court agreed, finding payment cards amounted to tangible property and the insured had satisfied its burden of establishing loss of use under the policy.
While this decision is welcome news for the retailer in question, policyholders and their advocates should temper their enthusiasm. The policy at issue was written in 2013, and since that time, underwriters have worked tirelessly to eliminate inadvertent triggers of coverage for cyber incidents under non-cyber policies, a phenomenon known as “silent cyber.” Insurers will continue to root out such ambiguous wording, underscoring the need for standalone coverage written for the express purpose of addressing cyber risk.