Key takeaways from recent OFAC guidelines: Carefully review insurance coverage and respond to cyber incidents with the help of experienced advisors
At September 21, 2021 and October 15, 2021, the Office of Foreign Assets Control (OFAC) of the US Treasury Department recalled the risks of sanctions to facilitate the payment of ransoms to designated malicious cyber actors. As discussed in our previous blog post in OFAC’s opinion of October 1, 2020, OFAC made it clear that it is increasingly willing to take enforcement action against entities, including cyber insurers, that facilitate payments to actors of the threat sanctioned on behalf of the victim companies.
These guidelines should serve as a reminder to policyholders that ransomware and other cyber incidents trigger strict regulatory and reporting requirements, and policyholders should consider bringing in experienced advisers to develop a cohesive response strategy when cyber incidents occur. OFAC guidelines should also remind policyholders to carefully review cyber insurance (and other) coverages to ensure that they provide the broadest possible coverage for cyber risks while following the guidelines. OFAC.
OFAC’s recent ransomware directions and trends
In its most recent guidelines, OFAC has warned insurers that if they do not comply with OFAC regulations, they face civil penalties and that OFAC may impose these penalties on the basis of ‘a legal standard of strict liability. OFAC has endeavored to clarify its intention in the future by providing more detailed guidance to the public. In addition to providing detailed case studies relating to sanctionable conduct, risk assessment measures and necessary internal controls, OFAC has also made efforts to update the definitions involved in the context of ransomware such as as “digital currency”, “digital currency wallet”, “digital currency address” and “virtual currency”.
This guidance comes shortly after a report by the US Treasury Department on tendencies as ransomware. The report shows that ransomware is an increasingly widespread and costly threat to businesses – the US Treasury Department has already observed that as of June 30, 2021, the total value of suspicious activity associated with ransomware transactions in 2021 was $ 590 million, which exceeds the total value. reported for all 2020.
Reminders to policyholders
These trends and tips should serve as a reminder that policyholders should carefully review coverage with an insurance advisor and be prepared to engage experienced advisors, including breach response advisers, ransomware specialists, and cyber incident insurance advisors. .
Along with cyber incident specific policies, which will provide the strongest coverage for cyber incident expenses and liabilities, organizations should assess their other key policies for cyber incident loss coverage; Kidnapping, ransom and extortion; Criminality; Directors and officers; and even property insurance policies can offer greater coverage.
These are just a few of the main issues and gaps that corporate policyholders should consider when reviewing their existing coverage:
- Review sanction exclusions, including sanction exclusion riders, to ensure that the insurer has appropriate language in place to recognize sanction guidelines, including OFAC guidelines, but that the policy still provides the policyholder with broad coverage as long as the payments do not go against the penalty guidelines.
- Consider optional coverages, such as Reputation Loss Coverage and Public Relations and Crisis Management Coverage, to help mitigate the fallout from any cyber incident.
- Request that any exclusions of terrorism and warfare in cyber policies contain exceptions for cyberterrorism and that all war exclusions be revised to apply only to physical warfare.
- Ensure that contractual liability exclusions contain exceptions for liability that would exist in the absence of a contract and an exception for actions brought by a payment card brand or acquiring brand, including industry fines or penalties payment cards.
- Make sure that the exclusions for personal injury or invasion of privacy are removed so that they do not apply to otherwise covered claims arising from a breach of privacy.
- Purchase Social Engineering Express coverage on your company’s crime insurance policy to cover social engineering programs and business email compromises that lead to fraudulent transfers.
Policyholders should strive to identify and address gaps in their insurance program prior to renewal, including eliminating problematic exclusions and endorsements in their cyber insurance policy, to ensure they have adequate coverage for cyber incidents in the future.