U.S. Treasury warns cyber insurers payments to hackers may violate sanctions

Suzanne Barlyn
·2-min read
Hooded man holds laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture
Hooded man holds laptop computer as blue screen with an exclamation mark is projected on him in this illustration picture

By Suzanne Barlyn

(Reuters) - Cyber insurers and other financial institutions that facilitate payments to hackers to end cyberattacks risk running afoul of sanctions rules, the U.S. Treasury Department warned on Thursday.

The warnings, which referenced malicious programs known as ransomware, came in advisories from Treasury's Office of Foreign Assets Control (OFAC)and Financial Crimes Enforcement Network (FinCEN).

Hackers use ransomware to take down systems that control everything from hospital billing to manufacturing. They stop only after receiving hefty payments, typically paid in cryptocurrency.

The warnings add another layer of concern for cyber insurers, who have been ramping up rates and trying to curb exposure to vulnerable customers because of surging costly ransomware claims in recent years.

Cyber policies often cover ransom, data recovery, legal liabilities and negotiators fluent in hackers’ native languages.

Ransomware payment demands have increased during the pandemic as people work remotely and hackers target online systems.

The average ransomware payment jumped by 60% to $178,254 between the first and second quarters, according to Coveware a firm that helps negotiate and facilitate cyber ransom payments.

Sophisticated insurers and financial institutions are already aware of the sanctions concern, said Sumon Dantiki, a King & Spalding LLC lawyer who advises on national security and cyber matters.

"Will victims who are insured still decide to make the payments?" Dantiki said. "This type of public advisory could affect the calculus there."

OFAC cited cyberattacks dating to 2015 that were traced to hackers in North Korea and Russia, both sanctioned countries.

The United States can impose economic and trade sanctions on countries that sponsor terrorism or violate human rights. Financial institutions that engage with them or some individuals can face prosecution and penalties.

A second FinCEN report pointed to a growing industry of forensics firms that help organizations respond to cyberattacks, including processing the payment.

(Reporting by Suzanne Barlyn; Editing by Aurora Ellis)