By continuing to access our website, you agree to our privacy policy and use of cookies.

Skip to Main Content

Press "Enter" to search


Cyber Insurance, Ransomware Attacks and What Happens When You Legally Can’t Pay

How cyber insurance responds in the case of a ransomware attack.

May 28, 2024

Did you know that if your company’s cyber systems are hacked and a bad actor demands ransom to restore your network and data, you may not legally be allowed to pay the ransom?

The Office of Foreign Assets Control (OFAC) maintains lists of specific nations and foreign nationals that are known to be terrorists or criminals or that in some way represent a specific national security risk to the United States. These can include countries like Iran or specific cybercriminal gangs like REvil. If OFAC has flagged a bad actor, it is illegal to pay that bad actor.

Penalties for violating OFAC sanctions can include hefty monetary fines. It also can consist of jail time.

How Do You Know if Ransom Can Be Paid?

Since cybercriminals can originate from anywhere in the world, including OFAC-sanctioned nations, ensuring you are protected from fines and jail time is critically important during the cyber incident response process. A robust cyber insurance policy will pay for advisors who will work on your behalf to ensure you are protected during a ransomware incident. The advisory team should include the following:

  • Breach coach: The attorney who advises you on your legal rights, responsibilities and risks—including OFAC sanctions—during incident response.
  • Digital forensics firm: The firm responsible for investigating the incident's root cause and identifying possible threat actors. The firm will also perform blockchain analysis, malware reverse engineering and signature analysis, and geo-location and language analysis to determine the attacker’s country of origin or whether the malware used is a member of, or is a derivative of, a sanctioned cyber-criminal group.
  • Cryptocurrency broker: A money services business registered with the U.S. Treasury that will perform the “official” OFAC sanctions check, using the information provided by the forensics firm, to determine whether OFAC sanctions apply to the ransom payment. This firm will also facilitate cryptocurrency payment to the threat actor if the payment passes the OFAC sanctions check.

If the team finds no suspicion of an OFAC sanction risk, payment will be allowed. If paying ransom would trigger an OFAC violation, payment will be halted. This protects you from penalties but makes it much more difficult for your business to recover—unless you have prepared adequate data backups that haven’t been breached.

From an insurance perspective, what happens next?

How Does Cyber Insurance Respond if Ransom Can’t Be Paid?

When victims of ransomware attacks are not legally allowed to pay ransom, they typically have three questions about how their commercial cyber liability insurance will respond:

1. Is this incident grounds for the carrier to deny the claim? No.

2. Does this incident limit the coverage? No.

3. Is there a workaround for this specific issue? Yes.

Cyber insurance policies are intentionally built to pay claims under line items not specifically titled “ransomware.” For example, “business interruption” coverage will provide funds to cover the extended downtime brought about by negotiations, research and time to rebuild networks. The cyber policy will cover data restoration and re-creation in the event of data encryption or deletion. As the lifecycle of the cyber claim advances, the cyber insurance policy also will help a victimized company address things such as hardware replacement (bricking), reputational harm, regulatory fines and penalties (state, federal, HIPAA, PCI, etc.) and class action lawsuits.

Cyber Incident Response Planning: As Crucial as Cyber Insurance

Insurance should never be the first response to a known risk. Preparation should be. Having a current, tested incident response plan is invaluable. So is having a solid data backup solution that consists of access and control, duplicate copies and offline segmentation, all of which can mean the difference between being up and running in days versus months.

Hylant’s cyber risk management experts use a vetted cyber risk workflow to help you identify areas of vulnerability, quantify their potential impact and make decisions about processes, cybersecurity investments and cyber insurance coverage to protect your organization from financial and reputational harm. Contact us today to learn how we can help you strengthen your cyber risk management.

Related Reading: Cyber Claim Do’s and Don’ts

The above information does not constitute advice. Always contact your insurance broker or trusted advisor for insurance-related questions.

Authored by

Alex Clark

Alex Clark

Cyber Risk Practice Leader

Alex helps clients understand emerging technology risks and the importance of pre- and post-breach readiness. He takes a hands-on approach to placing coverage and ensuring clients know how to use their cyber policy, prevent incidents, minimize payouts and execute incident response plans.

Want more like this?

Sign up for our monthly e-newsletter, Fresh Perspectives, and other relevant content.

By entering your contact information and submitting the form, you understand that Hylant may send similar information in the future. You can unsubscribe anytime by using the link at the bottom of any Hylant email.

Related Insights