Cyber extortion – how should insurers respond?

Summary

The recent cyber-attack on Travelex serves as a cautionary reminder to insurers of the considerations and risks involved when responding to extortion threats.

Targeted cyber extortion is increasingly common; namely, where a criminal demands payment through the use of or threat of some form of malicious activity against the victim, such as ransomware or denial of service attack. How should the extortion threat be handled in the aftermath? Should a ransom demand be paid and is such payment legal? Are insurers permitted to provide cover for ransom payments? This article explores these and other issues arising from cyber extortion incidents.

Background

On New Year’s Eve 2019, Travelex suffered an attack on its IT systems and was forced to take down its websites across 30 countries to contain “the virus and protect data”. The virus that infiltrated Travelex’s systems is reported to be the Sodinokibi ransomware, also known as REvil, which is used to encrypt data and demand a ransom in order to unlock such data. Travelex’s systems have now been offline for almost two weeks during which employees have been conducting transactions by hand. The knock-on effect of that is that corporates and various financial institutions (such as Sainsbury’s, Tesco and Virgin Money) have been unable to offer customers their foreign exchange services, for which they depend upon Travelex.

In the meantime, the hackers claim to have 5GBs of valuable customer data (for example, credit card information, national insurance numbers and dates of birth) that they intend to sell if Travelex does not pay them USD 6m by 14 January 2020. Travelex’s parent company, UAE-based Finablr, is understood to have “computer-crime insurance” to cover cyber risks.

To pay or not to pay

The payment of a ransom (whether directly or indirectly) is not of itself illegal as a matter of English or international law. A victim of cyber extortion can, therefore, choose to pay the ransom, and many companies do, on the basis that the consequences of not paying would be far greater, in terms of business interruption losses, potential third-party claims (from both customers whose personal data has been compromised and financial institutions and corporates who are unable to provide foreign exchange services to their customers) and the costs of containing and investigating the attack. Insurers may, therefore, indemnify an insured in respect of a ransom payment, either directly, or by paying a third party who paid the ransom on the insured’s behalf.

Most cyber policies will cover payment of extortion monies, and related costs and expenses (such as forensic IT costs), subject to certain conditions (for example, reporting to relevant authorities in the applicable jurisdictions). However, insurers should be mindful of the provisions of the Terrorism Act 2000 and the EU financial sanctions regime, which forbid the payment of funds if there are links to terrorism and/or certain entities or individuals. Pursuant to Section 17A of the Terrorism Act 2000, an insurer commits an offence if it provides an indemnity under an insurance policy when it knows or has reasonable cause to suspect that the money or other property has been handed over in response to a demand made for the purposes of terrorism. Equally, it commits an offence where it fails to report to the authorities that another party has made a payment (ie the insured or its agent) in similar circumstances. Terrorism is defined as an act which is designed to influence government, or intimidate the public, for the purpose of advancing a political, religious, racial or ideological cause.

Insurers will need to be careful to consider the question of legality before making or authorising a ransom payment under an insurance policy. This will involve carrying out appropriate due diligence as quickly as possible in respect of the destination of any ransom payments and the identity of the cyber criminals. Whilst these factors can be difficult to identify, particularly as there is often little time in which to investigate, they are important steps for insurers to take if they are to protect themselves from the risk of falling foul of the Terrorism Act 2000. Early engagement with the Police and Action Fraud UK may assist with insurers’ due diligence process (although a company is not currently obliged to involve law enforcement when it has been the victim of cyber extortion).

There are also commercial considerations as to whether or not to pay a ransom. Advice from cybersecurity and government security experts in the UK and more widely, is generally not to pay extortion demands (as to do so would only encourage further crime and there is no guarantee that access to the files will be restored once the ransom has been paid, in any event). There is also a risk that, in the event of payment on one occasion, the victim will be targeted again and again.

Data protection considerations

Notably, the Media has reported that the ICO has not received a data breach report from Travelex, notwithstanding that the hackers claim to hold personal data. Following the introduction of the General Data Protection Regulation (GDPR), companies that fail to comply with their reporting obligations (within 72 hours) may face a maximum fine of 4% of their global turnover. Travelex, therefore, potentially risks falling into the same demise as British Airways and the Marriott hotel group, who are facing potential fines of £183m and £100m by the ICO, respectively.

It is thought that the hackers are seeking to “weaponise” such GDPR fines in order to encourage payment and this element of the extortion may be particularly effective given that GDPR fines are generally considered to be uninsurable as a matter of English law on the grounds of public policy.

Indemnity for fines and penalties is usually excluded for public policy reasons, but many cyber policies offer cover to the extent that fines are “legally insurable”.

There is no statutory or regulatory prohibition against insuring fines for breaches of the GDPR. However, it is generally considered that fines cannot be insured because of the illegality defence (ie a person should not be able to insure against a fine for criminal or quasi-criminal conduct, since that would defeat the deterrent and/or punitive effect of the fine). That position may be influenced by the case of Singularis v Daiwa and our article on that case can be found here.

With the imminent deadline looming, it remains to be seen whether or not Travelex meet the hackers’ demands, and indeed, if payment of the ransom will trigger the cyber cover they are said to have in place.