Insurance, Sanctions Considerations Among Those at Stake in IST Task Force Recommendations for Combating Ransomware
Client Alert | 4 min read | 05.12.21
The Institute for Security and Technology (IST) recently released recommendations aimed at combating the growing threat of ransomware, proposing a comprehensive framework focused on regulatory and diplomatic ideas designed to disrupt the threat, and to assist organizations prepare for and respond to ransomware attacks. Ransomware crimes pose significant legal challenges that continue to evolve alongside the threat itself, as efforts to combat ransomware attacks, such as those proposed by the IST, are developed and implemented. Organizations should remain mindful of this quickly-evolving legal landscape.
The prevalence of ransomware attacks continues to increase, affecting organizations large and small, particularly through attacks that involve payment of ransom in cryptocurrency. According to estimates, the global cost of ransomware attacks in 2020 reached $20 billion, while victims paid at least $350 million in ransom payments.
When an organization is victimized by a ransomware attack -- and a cybercriminal essentially locks the organization out of its own computer network unless it pays the bad actor a ransom to regain access -- the results can be devastating. Not only will the victim potentially deal with the harmful consequences associated with losing access to its data, it faces a host of ethical and legal issues. A ransomware victim and its insurers are confronted with many difficult questions. For example, will the victim be liable to its customers for the breach? Will payment of a ransom to a then-unknown cybercriminal violate U.S., UK, EU or other relevant sanctions laws, and, if so, will that affect the availability of insurance coverage for the breach? Will the victim or its insurers face legal penalties as a result of the payment of a ransom? These are just some of the questions that will inevitably follow. It is, thus, vital for all organizations to understand the unique legal challenges posed by ransomware attacks.
Given the many threats posed by ransomware attacks and their increasing frequency, both the Department of Justice (DOJ) and the non-profit IST have convened task forces to develop strategies to combat this growing problem. DOJ has vowed to employ criminal, civil, and administrative actions to fight ransomware, including taking down servers used to spread ransomware and seizing criminals’ gains. And the IST task force recently released a report containing 48 recommendations for combating the threat of ransomware.
The IST task force viewed the threat of ransomware not only as a serious financial crime, but also as a national security risk. The task force brought together over 60 members of technology companies, government agencies, and academic institutions to produce a comprehensive framework for a public-private anti-ransomware campaign. The overarching goals of the task force were to deter ransomware attacks through a comprehensive and coordinated strategy, disrupt the ransomware business model and reduce criminal profits, help organizations prepare for ransomware attacks, and respond to ransomware attacks more effectively.
Many of the IST task force report’s recommendations focus on regulation of cryptocurrency and include:
- increased regulation of the cryptocurrency that facilitates ransomware crime, including requirements for cryptocurrency exchanges, kiosks, and trading desks to comply with existing laws, such as know your customer, anti-money laundering, and counter-terrorist financing laws;
- designation of enforcement bodies by regulators to penalize non-compliant cryptocurrency actors;
- requirements for ransomware victims to report extortion payments to the government in exchange for a limited liability protection, including that the report cannot “form the basis for a regulatory or other enforcement action;”
- creation of a “Ransomware Response Fund” to support ransomware victims that refuse to pay the ransom demanded of them; and
- the employment by government authorities of sanctions or diplomatic consequences on nations that allow ransomware attacks to take place within their territory.
The full IST task force report can be found here.
It remains to be seen whether the IST task force’s recommendations for governmental response to the growing ransomware problem will be enacted. Whether the IST recommendations are implemented or not, it is important to stay abreast of the growing calls for governmental action in response to the ransomware threat and the potential for regulatory and legal changes in this area. In particular, it is vital for all organizations and their insurers to know the ethical and legal risks associated with a ransomware attack and the specific legal issues that can follow, particularly when cryptocurrency is involved.
Crowell & Moring is helping clients understand, prepare for, and respond to the wide range of legal issues a ransomware attack can present. Our attorneys provide holistic advice through cross-practice teams addressing issues that arise from the use cryptocurrency, which will almost certainly be the medium in which payment is required; considerations in assessing sanctions risk, exposure, and potential regulator outreach, including compliance with advisories from U.S. sanctions and anti-money laundering regulators (which we summarized in a previous alert here), and guidance for insurers’ rights and obligations where insurance coverage may potentially respond to a ransomware incident. We have, to date, assisted clients across multiple industries grappling with ransomware attacks, which are becoming an unfortunate reality of international business across virtually all industry areas.
Insights
Client Alert | 3 min read | 12.13.24
New FTC Telemarketing Sales Rule Amendments
The Federal Trade Commission (“FTC”) recently announced that it approved final amendments to its Telemarketing Sales Rule (“TSR”), broadening the rule’s coverage to inbound calls for technical support (“Tech Support”) services. For example, if a Tech Support company presents a pop-up alert (such as one that claims consumers’ computers or other devices are infected with malware or other problems) or uses a direct mail solicitation to induce consumers to call about Tech Support services, that conduct would violate the amended TSR.
Client Alert | 3 min read | 12.10.24
Fast Lane to the Future: FCC Greenlights Smarter, Safer Cars
Client Alert | 6 min read | 12.09.24
Eleven States Sue Asset Managers Alleging ESG Conspiracy to Restrict Coal Production
Client Alert | 3 min read | 12.09.24
New York Department of Labor Issues Guidance Regarding Paid Prenatal Leave, Taking Effect January 1