INSURERS: Regulators are coming for ransomware, just not in the way you may think

By Jenny Soubra, Head of US Cyber & Technology

One of the things that has always moved the cyber insurance market is regulatory risk, and perhaps now regulations can be our salvation.

The cyber insurance market is red hot.  And as at any point of inflection, there are many different paths the cyber insurance space could take.  Hard markets often create new opportunities and potential pitfalls that insurers and their customers will have to contend with for years to come.  Should cyber insurers today scale and diversify to keep expenses manageable in the face of anticipated high claims volumes, or narrow and focus on the best performing sectors/attachment points in hopes of out-selecting claims.  The algorithm is complicated.

Let’s face it, the reason we are having to ask these questions not annually, but in some cases hourly, is ransomware.  What should cut through the noise here is that help may be on the way.  Because just like the cyber insurance market is facing an inflection point with profitability, aggregation and strategy, the regulatory bodies tasked with preventing this insanity are facing an inflection point in terms of public opinion, market volatility, and general optics.

This is not to say that legislators couldn’t step into the equation but if last year’s Facebook whistleblower testimony (and basically any congressional inquiry of any tech firm) informs us on this issue at all, it indicates that the legislators have insufficient understanding to manage the problem.  By contrast, it would seem that the regulators at the SEC can understand the risk.  The unsung heroes of much of this battle seem to be the SEC, NYDFS, and others not traditionally focused on cyber security, but rather securities broadly.

Some of the regulatory bodies and trends that may come into play in this space include:

  • SEC: The SEC’s recent announcement of contracting to develop capabilities to perform deep analysis and tracing on smart contracts (AnChain.AI) underscores their commitment to monitoring risk, improving compliance and informing commission policy on cryptocurrencies and other digital assets.  The announcement seems more akin to getting the accountant that handled Al Capone’s books to create policy solutions preventing that same playbook, rather than merely having them testify.  That said, it is also still in a gray zone that neither analogy really does service.
  • OFAC: The OFAC’s recent advisory on ransomware payments components spotlights the possibility of sanctions against crypto firms and other companies, including insurers, who facilitate or aid in the recovery of ransomware payments. As expected, the advisory discourages ransomware payments and makes cooperation with law enforcement a mitigating factor in cases where a company makes a payment to an organization on the Specially Designated Nationals and Blocked Persons List (SDN List). Of note is the recommendation that companies implement a “risk-based compliance program to mitigate exposure to sanctions-related violations.” Such sanctions would apply to cryptocurrency companies who facilitate payments as well as insurers and others that aid in the response to a ransomware attack.
  • NYDFS: As the first state banking regulator to issue a stand-alone virtual currency regulatory framework, the New York Department of Financial Services (NYDFS) continues to play a leading role in monitoring cryptocurrency and bolstering cybersecurity. An NYDFS framework of best practices for insurers to manage cyber risk issued earlier this year echoes OFAC’s position of discouraging ransomware payments and cautions insurers and their policyholders about the possibility of a ransomware payment violating the OFAC economic sanctions program. In addition, NYDFS recently imposed its first cyber security regulation enforcement actions, signaling its intent to pursue violations to the fullest extent.
  • FATF: The Financial Action Task Force (FATF), an international body that coordinates government policy on illicit finance, has issued guidelines for governments to increase oversight of crypto firms. Measures would require crypto firms to check their customers’ identities and report suspicious activity to regulators. As part of its goal to combat terrorist funding, the agency’s recent guidelines could also serve to curb the means of funding ransomware.

It remains to be seen whether these regulators fully understand how much they can do to mitigate correlated problems, not just ransomware, but follow-on risk associated with technology adoption of crypto and other digital assets.  By extension, the development of technology auditing and similar capabilities by a regulator with real teeth could also help solve the insurance sector’s ongoing challenge to manage (endemic) aggregation risk associated with cyber exposures. The regulation of the means of payment for ransomware (crypto) could end up taking the money out of the value chain that disrupts the digital (and sometimes physical) supply chain.  That basic fact is – an undervalued point of importance for nearly anyone outside the insurance, compliance and/or risk management arenas, and for many of those within.

While the trend toward technological enablement of regulatory oversight begs the question, “can technology put back into the bottle the genie that it has helped free?” in the case of ransomware, we know the nameless, faceless, shadowy actors and funds exist. The nebulous nature of the funds created the problem of a well-funded criminal enterprise without the same sort of paper trail that helped bring down earlier generations of crime syndicates. As a result, regulators are getting creative in their oversight tactics turning to the technologists that know the problems best and, in a few cases, having helped create them for solutions.

So here we cyber insurers sit, at a crossroads in terms of technological evolution, regulatory evolution, and product evolution and ponder which path to take individually and collectively.  And no matter what path the market takes, I think all of us will eventually understand the immortal words of Robert Frost, “I shall be telling this with a sigh, somewhere ages and ages hence. Two roads diverged in a wood and I – I took the one less traveled by. And that has made all the difference.”