Prison warning for insurers making ransomware payouts

Insurers offering cyber extortion policies have been warned about the potentially criminal consequences of failing to carry out proper due diligence when responding to ransomware demands.

Will Healy, associate in cyber insurance with Clyde & Co, explained at a breakfast briefing this morning how Section 17A of the Terrorism Act 2000 meant insurers and those operating on behalf of insurers had to take care to ensure payments were not made to groups attacking for the purposes of terrorism.

The consequences of breaching this included a prison sentence of up to 14 years, a fine, or both.

He said: “The question of when an offence is committed under Section 17 is a little bit of a grey area because you can commit an offence if you have reasonable cause to suspect that the payment is to be made in response to demands made for the purposes of terrorism.

“There’s not an enormous amount of guidance on how that provision is to be interpreted, but it is clear that insurers do not need to prove beyond all doubt that the payment will not be made for the purposes of terrorism. So that is positive.

“Equally however, it does not mean that an insurer has carte blanche to pay a ransom without carrying out any sort of due diligence. It is not acceptable to say, ’I have no idea who is making this ransom demand, I’m not going to do any investigations into the identity of the person making the demand, and because of this I have no cause to suspect it is a terrorist and so I’m going to pay it.’ That’s not an acceptable stance to take.”

Guidance from Lloyd’s in 2015 recommended that insurers carry out “enhanced due diligence checks in line with their general money laundering obligations”.

Healy explained this meant analysis of the threat made and the actions of the extortionists, and that it was almost always necessary to engage with forensic investigators. Any suspicion that the payment will be made for the demands of terrorism was enough reason for the payment not to be made. Further investigations would then be required to confirm or deny the suspicions.

If the suspicions can’t be eliminated, the only way in which payment can be made is to seek consent from the National Crime Agency.  

Healy recommended that a strong compliance framework was necessary among insurers to handle ransom demands.

Kidnap and ransom insurance vs cyber policies 

Clyde & Co Partner Michelle Crorie advised that insurers protect themselves further by offering policies that reimburse the client where a ransom is paid, although the response consultant acting on behalf of the insurer to communicate with the attackers would still be required to carry out due diligence.

Crorie explained how kidnap and ransom insurance could cover cyber extortion, and how the quality of the response consultant had been a key feature in the sale of these policies. She said she expected this to soon become the case with newer cyber policies protecting against extortion, but highlighted key differences between the two types of policy.

Among these differences included business interruption costs generally included in cyber policies and more significantly the requirement in K&R policies that the attacker make some demand.

She said: “If somebody were to come into your system and takes money or takes data out to do what they wish with it for whatever nefarious purpose, this would not be covered under a traditional K&R policy. But if they actually ask for some kind of payment in order to prevent the access or prevent the use of the information, then it does fit within a K&R policy.”

Cyber policies were described as more ambiguous in how they could be interpreted around cyber breaches of security.

She added: “Cyber extortion in cyber policies can be slightly different to K&R mainly because they didn’t evolve in the same way from the tradition concept of extortion. Rather they start from cyber issues and move towards extortion.

“So cyber policies use slightly more technical language in the way that they cover cyber extortion, but actually their definitions are looser, which may or may not be a benefit.

“So whereas we have very tight wording in K&R policies around the threat that needs to be made demanding a ransom, which is either money or services from the victim, the kinds of cyber extortion that we’ve seen from cyber policies involve things like a threat to breach data security or a threat of having an impact on computer systems or a threat to reveal sensitive business data.”

She warned this meant in the case of a cyber attacker demanding something other than money or services, such as activists demanding an employee be fired, a K&R policy may not provide cover.