Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice
Ransomware Payment Prohibitions – Do They Work, and Will More States Adopt Them?

Release Date: March 2023
pdf download Implications for D&O Litigation From Climate-Related Risk

The practicality and implications of a broad ransomware payment prohibition has been much discussed by politicians at the state and federal level over the past few years.

A ransomware attack very often threatens the existence of the victim firm; inaccessibility of systems and data, publication of sensitive information and loss of reputation can be devastating. According to Cybereason’s 2022 report “Ransomware, The True Cost to Business”:

  • 37% of victims were forced to lay off employees
  • 35% reported C-level resignations
  • 33% were forced to suspend business operations

According to Rubrik Zero Labs’ “The State of Data Security”, a July 2022 cybersecurity survey of over 1600 IT professionals and decision makers, when faced with ransomware:

  • Among organizations more than 25 years old, 52% said they were extremely likely to pay and 76% would “consider paying”
  • Among organizations less than 25 years old, 62% said they were extremely likely to pay and 84% would “consider paying”

The US Department of Treasury Financial Crimes Enforcement Network recently published a report showing that in 2021 under the Bank Secrecy Act banks made 1,489 ransomware-related filings totaling nearly $1.2 billion.

As ransomware is a scourge with enormous financial and human cost, there is an attractive logic to prohibiting ransomware payments. Ransomware attackers are predominantly financially motivated and if the metaphorical well dries up (or is blocked by government mandate) the hackers will stop going there, ending a problem that cost US companies $1.2 billion in 2021. However, to date there has been relatively little action by legislatures, particularly in restricting a business’ ability to pay ransoms.

Several states have made some legislative moves towards restricting ransom payments, with North Carolina and Florida being the first to pass legislation prohibiting certain state agencies from paying ransoms. Other states have legislation pending (Pennsylvania) or under consideration (New York, Texas, Arizona, New Jersey). 

The statutes passed in North Carolina and Florida apply only to specific government agencies. The proposed New York legislation applies to non-government entities as well (although with relatively modest penalties proposed for those that do not comply).

Previously, the only significant restrictions applicable to companies arose from the Department of The Treasury Office of Foreign Assets Control (OFAC). The federal government has made it clear, through the OFAC Advisories of October 2020 and September 2021, that, while it “strongly discourages” paying a ransom, companies are not prohibited from doing so, even if it involves paying a sanctioned entity.

Paying a sanctioned entity is a risky procedure, even if the victim entity follows the mitigating procedures described in the OFAC Advisories. There is clear recognition, however, that sometimes the victim will effectively have no choice but to pay.

There are strong disincentives built into these advisories for companies that do elect to pay a ransom. The OFAC advisory of September 2021 is explicit:

Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms … not only encourage future ransomware payment demands but also may risk violating OFAC regulations.

In effect this means that cyber insurers will not take the risk of incurring an OFAC violation penalty by reimbursing an insured for any payment to a sanctioned entity. Many insurance policies have explicit exclusions with respect to OFAC and other statutory and regulatory mandates, but whether there is an exclusion or not, insurers cannot make payments or reimbursements where prohibited by law. This would include reimbursements for payments to sanctioned entities.

A victim that decides there is no option but to pay a sanctioned entity is therefore not only taking the risk of incurring OFAC penalties, but also that their insurers are likely to be unable to reimburse them for the payment. It is therefore important when faced by ransomware to establish whether insurance will be permitted to reimburse for a payment, as this may change the complexion of the negotiations.

However, it appears that, following the example of the federal government, most states are not proposing to prohibit non-government entities from paying ransoms. There are good reasons not to:

  • Doing so would potentially put the state in a position of mandating a company out of business and voter-taxpayers out of their jobs.
  • Legislation of this type may factor into the decision-making of any corporation considering setting up business in the state.
  • It could also factor in the decision-making of an entity considering a move to another domicile.
  • There is no guarantee that the legislation will eliminate, or even reduce, the incidence of ransomware or other cyberattacks.

It is also important to remember that state entities have a different resilience model than private enterprises. A state entity has little risk of "going out of business".

In banning the payment of ransoms by some state entities, the hope appears to be that the attackers will stop targeting them, as they will not be paid. Hacking groups, however, are unpredictable, and some may take it as a challenge to see where the line is truly drawn. Others may be funded by nation states and will continue their attacks, if only to cause disruption to U.S. interests.

Ultimately, state entities are supported by taxpayers and while taxpayers may appreciate the effort to be responsible about how tax dollars are used, they may be less appreciative when critical services are down for weeks on end and the cost and time taken to restore them is multiples of the cost and time had a ransom been paid.

It is too soon to determine whether the legislative actions of North Carolina and Florida will result in a decrease in attacks. It is likely state entities could receive a short-term benefit from the ransom payment prohibitions, as there is no shortage of other targets available. However, if every state were to pass similar legislation, it is likely that hackers would respond by changing their business models. Ransomware attacks may diminish, but other attacks would take their place.

Read more articles by Tom here.

Aon is not a law firm or accounting firm and does not provide legal, financial or tax advice. Any commentary provided is based solely on Aon’s experience as insurance practitioners. We recommend that you consult with your own legal, financial and/or tax advisors on any commentary provided by Aon. The information contained in this article and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity.



Tom Ricketts

Contact


The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts.

Tom Ricketts
Senior Vice President and Cyber Risk Leader
New York




Bryan Hurd



The Cyber Solutions team at Aon can help you understand and quantify your cyber risks. Please contact Bryan Hurd.

Bryan Hurd
Managing Director, Aon Cyber - Stroz Friedberg
Seattle