Cyber Security is an omnipresent risk for most businesses. And it is a growing risk given the more frequent and serious cyber attacks, higher costs for proactively managing these risks (or curing a cyber security breach), and potentially higher fines following a breach with implementation of the GDPR on the horizon. The approximately 500 million recently compromised Yahoo accounts are a pertinent reminder of these risks. CFC Underwriting has also recently commented that it is being notified of claims under its policies at a rate of more than one a day, particularly from SMEs with revenue under £50m and “ransomware” is behind a significant number of claims.
Cyber extortion, including threats and/or ransom demands connected with cyber attacks, is a risk which can cause great uncertainty for businesses – particularly in relation to how the extortion threat should be handled, for example, whether a ransom demand should be paid, whether such payment is legal and whether insurers may cover the ransom payments. This can be further complicated by the fact that the threat is often made with a short deadline for compliance with the demand. We address below the nature of cyber extortion threats and the approach businesses and insurers may take when cyber extortion arises.
The nature of cyber extortion
Cyber extortion can arise in various forms. It can arise in the form of malicious software (“malware” or, in this case, “ransomware”) which infects an IT system and encrypts the business’s information with release of the information promised on payment of the ransom demand. Common methods of cyber extortion include:
- Ransomware in malicious code disguised in an attachment on an innocuous email sent to any number of individuals in the business and which may spread across the business’s entire IT system once any one person opens the attachment.
- Hackers obtaining sensitive information and demanding payments with the threat of releasing the information to the public.
- A business may receive a threat of a cyber attack (for example, a DDoS attack which would take down the business’s website – a particularly serious threat if it is an online business) and a demand for payment to avoid the attack.
- Malware jeopardising the running of infrastructure or devices connected by the Internet of Things (“IoT”) – again with a ransom demand to prevent damage. Some malware may be too large to run on IoT devices but ransomware can be much lighter with only a few commands and an encryption algorithm.
With the frequency of attacks on the rise, cyber extortionists are certainly finding a lucrative business for themselves. The approximate sums demanded by cyber extortionists generally range from several hundred to several housand Pounds/Dollars (although the demand may be made out in Bitcoins rather than traditional currency). These relatively low sums tend to prompt businesses to pay the demand – particularly as it potentially results in the decryption and return of sensitive company information. However, there is at least one high-profile example of a much higher demand from a ransomware attack on a US hospital in February 2016. Hollywood Presbyterian Medical Center received a demand for 9,000 Bitcoins (approximately $3.4-3.6m at the time) and eventually paid 40 Bitcoins (approximately $17,000) in order to regain access to its systems. The amounts demanded by cyber extortionists may well rise in the future.
The legality of ransom payments
There is no broadly applicable English legislation which makes ransom payments illegal. Additionally, there is also no general duty on ransom payers to report incidents to the police (but they have the option to report these to the police or specialist policing teams such as Action Fraud, IFED or Falcon). Ransom payments are also not illegal under international law.
Legal commentary and case law on the likely approach of the courts in respect of ransom payments is limited. However, in Masefield AG v Amlin Corporate Member Ltd (The Bunga Melati Dua), a case related to maritime piracy and ransom demands for safe return of the vessel and crew, the Court of Appeal held that there was no general public policy argument against paying ransoms and stated that:
“…there is no universal morality against the payment of ransom, the act not of the aggressor but of the victim of piratical threats, performed in order to save property and the liberty or life of hostages. There is no evidence before the court of such payments being illegal anywhere in the world. This is despite the realisation that the payment of ransom, whatever it might achieve in terms of the rescue of hostages and property, itself encourages the incidence of piracy for the purposes of exacting more ransoms. (Perhaps it should be said that the pirates are not classified as terrorists. It may be that the position with regard to terrorists is different).”
The Court in Masefield aptly highlighted that the public policy position in respect of terrorists may well be different. Section 17 of the Terrorism Act 2000 (“TA00“) created an offence in respect of any person who enters into a funding arrangement and knows or reasonably suspects that it will or may be used for the purposes of terrorism. The actions and modus operandi of Somali pirates or cyber extortionists are usually not linked with terrorism. However, if the victim of the cyber attack knows or reasonably suspects that the attackers are linked to terrorism then section 17 of the TA00 would make payments to these attackers illegal.
The Proceeds of Crime Act 2002 (“POCA“) creates various offences making dealings with criminal proceeds illegal. However, POCA is not relevant to ransom payments since the payments do not become proceeds of crime until they are received by the cyber extortionists. POCA does not make illegal any payments which subsequently become proceeds of crime.
Risk to businesses and their approach
At present, given the low sums demanded in most cyber extortion attacks, there is a tendency for businesses to simply pay the demand. Such payments may well be made by employees without proper internal reporting procedures – perhaps, for example, by employees who enabled ransomware to intrude into the business’s IT systems by clicking on an email attachment and feel they are directly responsible.
There is no universal approach as regards the merits of making ransom payments. On a broader view, terrorism is a scenario where a strict stance against payments is frequently taken, including by English law under the TA00. Conversely, the Court in Masefield noted the reality of the fragile status quo between the pirates and ransom payers and was guided by expert evidence which stated that negotiation and payment of ransoms was the only realistic and effective manner of obtaining the release of a vessel and its crew.
There are various commercial and sensible arguments against making ransom payments and, to cite a few here: (i) making payments would likely encourage further attacks; (ii) the attackers gain knowledge that the particular business is in fact willing to pay ransoms; (iii) the ransom payments ultimately fund criminal activity; and (iv) making a ransom payment does not guarantee the outcome which the business is hoping to achieve.
Ultimately, it will be for businesses to decide how to mitigate the risks of, and respond to, cyber extortion attacks and the exact response may differ on the specific facts of a breach. However, any business should maintain robust reporting procedures, adequate policies/guidance and training for its staff to know how to react, and a systematic and rehearsed response which the business can rely upon rather than improvising when an attack occurs. Businesses can also mitigate this risk by obtaining insurance cover and being aware of their policy provisions (see below).
Insurance coverage for cyber extortion
Businesses are increasingly obtaining cyber insurance cover as an element of their risk mitigation plan. Such policies generally provide coverage for costs to the insured victim of responding to a cyber attack (“first party costs”) and potential liabilities/costs to third parties (“third party costs”). Cyber extortion coverage is for a first party cost.
Cyber policies vary drastically in respect of coverage and there is no standard basis of cover. Any given policy may well provide cover in respect of cyber extortion costs, be silent on such losses (and it would likely be difficult to argue they fall under a different insuring clause), or expressly exclude such cover. Further, the policies which do provide coverage for cyber extortion vary in their wording. It is, therefore, crucial to review and understand the policy provisions.
Insuring clauses for cyber extortion usually provide cover for the ransom payment itself (or in some policies, if goods/services are demanded, the monetary value of those goods or services) as well as the costs for responding to the cyber extortion threat. However, this coverage will be subject to various conditions which may include:
- taking reasonable steps to ascertain that the cyber extortion threat is genuine;
- promptly notifying the insurer and providing updates;
- obtaining the insurer’s prior written consent;
- reporting the threat to the police (or allowing the insurer to do so); and/or
- ensuring that the ransom payment is made or approved by a company director or senior manager.
As more businesses look to purchase cyber cover, there may be more insurance policies in the market that provide cover for cyber extortion threats. Of course, if cyber extortion coverage does become more prevalent, the practice of cyber extortion may simply expand in response.