The US Treasury, on October 1, 2020, released an advisory alert on potential sanctions for organizations regarding the payment of ransom during a ransomware incident. The risk of sanctions is tied to OFAC regulations and applies not only to the actual payment of ransom but also to the “facilitation of” payment. Within the context of cyber insurance and cyber extortion coverage, this has broad-ranging implications for victims of ransomware attacks, cyber insurers, insurance brokers, attorneys, and other vendors involved with responding to and recovering from a ransomware event.

While the logistics of how Treasury will identify, trace, or otherwise track the flow of money or cryptocurrency into an OFAC region are not made explicitly clear, the end goal may not be to further punish ransomware victims, but to 1) stop the flow of funds into OFAC regions and 2) reduce the frequency and severity of ransomware generally, if ransom payments are no longer “automatic.” As defensive measures meant to curb ransomware continue to be defeated, cutting off or slowing the distribution of ransom payments may be meant to reduce ransomware attacks over time.

We anticipate that companies may be impacted in multiple ways, both in the near and long-term. Cyber insurers, law firms, and other breach and ransomware response vendors may take a conservative approach to mitigate or eliminate their own regulatory exposure, resulting in delays or the inability to make payments on behalf of insureds. As the financial upside and relative ease attackers have long assumed for ransomware decreases, new patterns of attack have different potential consequences, including:

  • Larger data breaches, both in terms of scope and cost
  • More frequent and longer business interruption events
  • More costly extra expense events, particularly for computer replacement (bricking)
  • Larger reputational risks, as publicizing attacks may increase as companies need to communicate operational disruptions to customers and the market

CAC Specialty is closely monitoring the implications within the cyber insurance market as well as the impact on companies who have assisted or helped facilitate cyber ransom payments in the past. At this time, our initial guidance to clients impacted by ransomware events remains unchanged; if your organization is targeted by ransomware, please reach out to your team at CAC Specialty and engage outside privacy counsel as soon as possible.


For all full copy of the alert, please click here.