North Carolina recently became the first state to prohibit ransom payments by state agencies and local governments, and New York and Pennsylvania are considering similar legislation. Moreover, a bill has also been introduced in Congress to require reporting of ransomware payments by private companies.  

Some legislators, however, are calling for an outright ban on ransomware payments, which has sparked concern from federal law enforcement officials who fear a ban would result in the further victimization of these businesses. Bryan Vorndran, assistant director of the Federal Bureau of Investigation’s Cyber Division, told a congressional committee that such a ban would incentivize cybercriminals to further extort targets who pay ransom by threatening to report them to authorities. According to Vorndran, by making “the paying of ransoms illegal, you’re creating a third extortion, which means that if a company chooses to pay and they have now broken the law, then a cyber-adversary has the ability to hold them accountable in the public’s eye and threaten them even more with a higher extortion.”

This debate is taking place against the backdrop of evidence that the percentage of companies making ransom payments is actually going down. As recently reported by Corvus, a leading Managing General Agent underwriting cyber coverage, only 22% of its insureds experiencing an attack are making ransom payments, down from a previous high of 50%. Corvus attributed the drop to underwriters requiring stronger backups and greater resiliency on the part of their insureds as a condition of coverage.


The Takeaway

Payment of the ransom by a targeted business should be considered a last resort. Cyber insurance can connect policyholders with a threat consultant who can help minimize a company’s financial losses and reputational harm.  



Target Corp. v. ACE Am. Ins. Co., et al., No. 19-CV-2916 (WMW/DTS) (D. Minn. Mar. 22, 2022)

In an unusual reversal, a Federal court recently reconsidered its prior ruling and will permit a retailer to recover from its general liability policy certain losses it sustained following a 2013 data breach in which a hacker managed to gain access to payment card information and personal contact details for the retailer’s cardholders. 

As a result of the breach, the retailer faced claims from the banks issuing the payment cards for the costs they sustained replacing those cards. Upon settlement of these claims, the retailer sought coverage under its general liability policy, but the insurer maintained that the policy had not been triggered. Although the court initially found the retailer could not demonstrate “loss of use” of tangible property, as required by the policy, the retailer requested reconsideration, citing a prior case from a federal appeals court in which the inoperability of payment cards was found to constitute such loss of use. The trial court agreed, finding payment cards amounted to tangible property and the insured had satisfied its burden of establishing loss of use under the policy.

The Takeaway

While this decision is welcome news for the retailer in question, policyholders and their advocates should temper their enthusiasm. The policy at issue was written in 2013, and since that time, underwriters have worked tirelessly to eliminate inadvertent triggers of coverage for cyber incidents under non-cyber policies, a phenomenon known as “silent cyber.” Insurers will continue to root out such ambiguous wording, underscoring the need for standalone coverage written for the express purpose of addressing cyber risk.