As cyber attacks have greatly increased during the COVID-19 pandemic, especially a sharp uptick in ransomware cases, 2020 saw the start of a litmus test for the entire cyber insurance industry that will likely unfold during 2021. Whilst the global cyber insurance market continues its steep growth, cyber insurance disputes around the globe slowly find their way to courts in many jurisdictions. In the same vein, regulators around the world are updating, expanding, and introducing new legal guidelines to address the cyber threat landscape and assist (or force, depending on your viewpoint) the corporate sector to adopt new measures to tackle cyber incidents.
In the following, we present three noteworthy cyber cases and regulatory developments of 2020.
US OFAC & FinCEN Ransomware Advisories
On 1 October 2020, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) issued separate advisories for U.S. individuals and businesses in efforts to combat ransomware scams and attacks ). Both advisories warn victims of ransomware attacks and their potential cyber insurers against facilitating payments that may violate anti-money laundering statues or financing sanctioned terrorist organizations. The OFAC advisory () reads:
”[…] ransomware payments benefit illicit actors and can undermine the national security and foreign policy objectives of the United States. For this reason, license applications involving ransomware payments demanded as a result of malicious cyber-enabled activities will be reviewed by OFAC on a case-by-case basis with a presumption of denial.”
As by the very nature of a ransomware attack the extorting party is usually not known, the advisories are essentially calling into question if ransomware payments, regardless if they are insured or made by the affected party directly, are legal under US law. These advisories could have far-reaching effects and possibly change the coverage of cyber insurance, not only in the US, but because the US market is by far the largest market and its cyber policies act as a template for other markets, the entire cyber insurance industry.
UK High Court case of AA v Persons Unknown
In October 2019, hackers installed the ransomware BitPaymer, which infected over 1,000 computers and 20 servers of a Canadian company that was insured by an English Insurer for cyber (cf. ) . The insurer facilitated the payments of the demanded ransom of $950,000 in Bitcoin to unlock the systems. In the aftermath, a forensic analysis of the transactions of the bitcoin wallet to which the payment was made allowed specialists to trace 96 Bitcoins, worth around US$800,000, to the cryptocurrency exchange Bitfinex.
As Bitfinex was operated by two British Virgin Islands companies, it fell under the jurisdiction of the English high court. The High Court granted the English insurer a proprietary injunction over the cryptocurrency, allowing the insurer to recover the 96 Bitcoins paid as ransom from Bitfinix . By issuing the injunction, the English High Court held that cryptocurrencies were capable of being considered property under English law. The decision has potentially far reaching consequences for the cyber insurance industry. As the distributed ledger technology by its very nature allows the seamless tracking of transactions and wallet specific contents, monetizing cyber crime might become harder in the future.
However, it is likely that if the affected parties and insurers gain a potential avenue of recovering funds via injunctions from crypto exchanges, hackers will use non-standardized methods, like peer-to-peer transfers where Bitcoin is exchanged for real money bank wires, to cash out their ill-gotten gains.
Columbia Casualty Co v Cottage Health System
In a case argued in front of a Californian Court, Cottage Health System and its cyber insurer Columbia Casualty Co argued about a denied cyber insurance claim for a data breach that occurred back in 2013. The breach exposed 32,500 patient records of Cottage Health System, which were indexed and freely available in Google’s search engine.
The insurer argued that Cottage Health System did violate the in the policy outlined minimum required security standards and that “procedures and risk controls identified in the Insured’s application to regularly check and maintain security patches on its systems and to enhance risk control” were not adequately followed. Cottage did not correctly configure its file transfer protocol (FTP) servers, leaving not only all confidential records unsecured on their servers, but leading also to them being indexed by Google, which essentially shared all confidential records with the entire web. In a sense worse than a normal data breach, this could have lead, for example, employers googling a candidate for a position in their firm being presented with the applicants health records.
While the suit was dismissed and sent to alternative dispute resolutions, as outlined in the policy wording and we will likely not know what or when the final settlement between the parties will be finalized, Cottage Health settled for this breach and an earlier one occurring in 2013 for $23.5 Million with the Department of Health and Human Services’ Office for Civil Rights ().
Celso De Azevedo
Celso De Azevedo is a Barrister located in London specialized on reinsurance, cyber insurance, cybersecurity, data breach, cryptocurrency, fraud, asset tracing and business interruption insurance law. He is the author of “Cyber Risks Insurance: Law and Practice”.
Daniel Kasper is the principal of Cyber Economics.