Ransomware: Should you pay the ransom? - Part 2

When a company receives a ransomware demand, there are several questions to consider before making the decision to pay.

Organizations are wise to understand their cyber policies well ahead of a breach and have a strong cyber risk management strategy in place that balances a realistic role for the insurance policy against the organization’s mitigation practices. (Photo: Melinda Nagy/Adobe Stock)

A ransomware demand is enough to give any company executive heartburn as the decision of whether or not to pay the ransom is considered. Part 1 of this two-part series highlighted three factors to consider as part of the decision to pay: what has been compromised, what will the downtime cost the company and was personally identifiable information affected? However, there are several other issues to consider before making a final determination on whether or not to pay a ransom.

Are there other regulatory impacts to consider?

In some cases, an organization’s leadership or its standing policies may take the position that the organization will not pay a ransom, regardless of the consequences. This position follows that of government agencies, including the Federal Bureau of Investigation, which do not support paying a ransom in response to a ransomware attack. But when the possibility of payment is on the table, organizations need to know that simply making the payment could put them into legal jeopardy.

The primary basis of this legal jeopardy is that under the International Emergency Economic Powers Act (IEEPA) and the Trading with the Enemy Act (TWEA) U.S. persons engaging in transactions with certain listed organizations can subject those persons to significant penalties. Specifically, the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) maintains the Specially Designated Nationals and Blocked Persons List (SDN List), in addition to other blocked persons. A cryptocurrency transaction with one of these entities may result in the victim’s ability to retrieve access to its systems and data, but it could subject the organization to OFAC enforcement.

In its latest round of guidance on this issue, on October 1, 2020, OFAC issued the Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments (Advisory). The Advisory makes clear that entities involved in facilitating a ransom payment may have done so in violation of OFAC regulations, subjecting them to enforcement action and fines. This risk is heightened by the difficulty of determining who is on the other side of the Bitcoin transaction.

The Advisory highlights these concerns, while also noting that certain pre- and post-breach actions could mitigate OFAC exposure. Implementing “a risk-based compliance program” pre-breach and promptly making a “complete report of a ransomware attack to law enforcement” after an attack can, according to the Advisory, mitigate enforcement.

OFAC compliance may not be the only regulatory hurdle to overcome if momentum is moving in favor of payment. In the summer of 2021, following a string of massive ransomware attacks including the Colonial Pipeline attack referred to above, four states proposed legislation that would ban ransom payments. These efforts were not successful to date, but organizations need to consider regulatory limitations on ransom payments as privacy and cybersecurity laws rapidly evolve.

What will insurance cover?

Organizations are wise to understand their cyber policies well ahead of a breach and have a strong cyber risk management strategy in place that balances a realistic role for the insurance policy against the organization’s mitigation practices. Knowing what insurance will and won’t cover will assist in faster decision-making in the wake of a ransom demand.

A business evaluating its cyber insurance coverage should ask the following key questions:

  1. Does my organization have cyber risk insurance?
  2. If so, what does the insurance policy potentially cover in the event of a ransomware incident?

Does the insurance contemplate legal expenses, a forensic investigation, the negotiation and payment of a ransom demand, data recovery expenses, income loss from operation interruptions, notification to and credit monitoring and call center services expenses for affected individuals, and liability defense from claims alleging financial damages?

After reviewing the cyber insurance coverage, understanding the potential impact of the incident is important in deciding how to proceed. An organization should identify the limits available and any deductibles, and then decide on the best use of available funds. Does the organization want to use the available limits to negotiate and pay the ransom demand, to recover the lost electronic data, or to recoup the income loss from the operational disruption? All of these should be explored before making a decision.

Are there any other moral or public relations impacts to consider?

The decision to pay or not to pay a ransom tends to be centered on rules and numbers. But there’s another factor that weighs on the minds of organizational leaders. Is it the right thing to do? Is paying the ransom in line with our company values? How will the decision impact our reputation? How will it impact the safety of others?

Sometimes, an organization must consider how the decision to pay now and “get it over with” may impact their company and brand in the long term. Yielding to the ransom can open a company up to future attacks as they are seen as a soft target. Furthermore, paying a ransom can send the wrong message to customers and the public about yielding to extortion. The question of moral and PR impacts should be considered ahead of any attack.

The decision to pay or not to pay is a complex one that must be made under immense pressure. Organizations must quickly assess how much the ransomware demand is relative to recovery time, potential business income loss, cost to recover the data, cost to notify and provide identity monitoring, budget for class action, and the costs of any regulatory and reputational impacts. Any decision to pay then becomes a matter of negotiating and determining who pays what. Organizations must work quickly to come up with the answers to all of these questions as time only increases the negative impact.

An important takeaway for organizations and insurance providers is to assess exposure and costs in advance of an attack. This pre-loss analysis and game planning can help prepare for the inevitable and ease the decision-making process when time is of the essence.

Danielle M. Gardiner, CPA, CFF, (dgardiner@lowersforensics.com) is senior vice president of Lowers Forensics International. Joseph​ Lazzarotti (joseph.lazzarotti@jacksonlewis.comis an attorney at law with Jackson Lewis P.C.  Special thanks to Shiraz Saeed (ssaeed@archinsurance.com), vice president – cyber risk product leader at Arch Insurance Group for his contributions.

Disclaimer: This article should be considered for general information purposes only, representing the personal views of the authors and contributors within, and do not reflect the views of Arch Insurance Group.

Related: