In just one year, ransomware attacks reported to the New York State Department of Financial Services (“DFS”) have almost doubled. In these incidents, a cyber-attacker installs malware that encrypts a victim’s computer systems or files and then demands a fee, or ransom, to unlock the encrypted data. Fortunately, cyber insurance that expressly covers the risk of ransomware has been widely available in recent years. These policies will pay for some or all of the ransom demand in the event of a ransomware attack, allowing the policyholder to regain control over its files and systems and resume operations. While paying a ransom is unappealing to most, it is typically far less expensive than the cost of replacing or restoring permanently-locked files and equipment, along with associated downtime.
Regulators have long scrutinized the perverse incentives of ransomware payments, however, and their tendency to encourage more ransomware attacks. On February 4, 2021, the DFS issued guidance, the Cyber Insurance Risk Framework, outlining the best practices for New York-regulated casualty and property insurers that underwrite cyber insurance. Notably, the DFS recommends that insurers not make ransomware payments. The DFS cited Office of Foreign Assets Control of the U.S. Department of the Treasury guidance that insurers can be held liable for making ransom payments to sanctioned entities.
The Risk Framework is nonbinding, but its recommendation that insurers not make ransom payments could put pressure on insurers to stop issuing cyber insurance policies with ransomware coverage. Although this may advance DFS’ policy goal of reducing incentives to commit ransomware attacks, there is no question that, in the short run, it would make ransomware attacks far more costly for policyholders, who would have to either pay the ransom out of pocket or shoulder the cost of restoring their encrypted computer systems.