Recently OFAC, FinCen, the FBI, and the NY DFS (New York's Department of Insurance) have each ruled separately that they would strongly prefer insurance companies not pay ransomware. In some cases, depending on how one reads the rulings, they have prohibited the payment of ransomware originating in specific countries. Regular people cannot determine the country of origin of ransomware so this requires hiring a forensics team, or what is or could be even better, having a cyber insurance policy that provides this service. Some cyber policies do provide this service.
What is troubling is that after speaking to several carriers, my impression is they are not taking these directives seriously. Almost all the responses have been, "We have this under control because, really, not much has changed." I have worked with high level cyber security firms and they seem to be taking these directives seriously, i.e. as if something has changed. Before now there was no directive from three of the most powerful law enforcement and financial regulatory services and now there is a directive from each. Kind of hard to understand how nothing has changed.
From a carrier's position and an agent's position, this directive is potentially problematic because it may change the terms and conditions of insurance policies. If a policy would have otherwise paid ransomware but is now prohibited from paying ransomware, some very deep and significant policyholder communication needs to occur. If a carrier denies a ransomware claim based on these directives, woe be to the agent who has sold a cyber policy promising ransomware payment if the policyholder was not told earlier that this issue may exist.
A newer and more direct NY DFS ruling states insurance companies must, as in MUST, create a strategic cyber risk management plan including educating their agents and insureds relative to cyber risk and cyber insurance. This directive requires nonoptional behavior and is at the board level. One might think that given how hard the D&O market is, carriers' directors and officers might understand the significance of a board level directive from a key financial regulator.
However, many carriers seem to think the behavior required by this directive is optional. The directive is pretty clear. On February 8, 2021, Hinshaw Law published an article stating, "[P&C insurance carriers shall] establish a board-directed strategy to measure and manage their cyber insurance risk, incorporating these specific best practices: ...Educate insureds and insurance producers about the value of cybersecurity measures and the need for, benefits of, and limitations to cyber insurance..."
On March 8, 2021, another set of attorneys wrote an article for National Underwriter stating that the guidelines advise against making ransomware payments and that agencies must educate insurance producers so that they have a better understanding of potential cyber exposures, types and scopes of cyber coverage offered, and monetary limits in cyber policies.
I am pretty familiar with cyber education because I have built what I consider to be the best practical cyber education available that focuses on the policies any given agency actually sells versus focusing on a specific policy. Cyber education is hard (well -- there is some easy cyber education, but it is worthless except for the CE credit it provides). Understanding cyber coverage is hard because almost no consistency exists from one policy to another. The definitions vary, the coverages vary significantly, hocus pocus coverages exist, and rarely will any one policy offer be sufficient coverage. Quite often the best coverage is a combination of two policies, each offering substantive coverage in certain areas but almost no coverage in other important areas.
When I asked some carriers if they have an education program built to comply with this ORDER, a few advised they have it under control. I know they have no program or I would not have asked the question. Several carriers have read the order and advised me that the ORDER is voluntary.
I hope more insurers' legal/regulatory teams read the order correctly for their own good. Think about it this way: Why are cyber rates increasing 20% - 100% this year? Because insurers recognize the risk is huge. So why are they not recognizing this order that recognizes the huge risk? Because they are like everyone else and think cyber only impacts someone other than me.
Cyber coverage is probably the biggest E&O exposure agents have because very few agents are adequately educated on the subject. It is extremely complex and insureds do not want to buy it, yet the exposures are huge and EVERY SINGLE BUSINESS IS A TARGET! What insureds do not understand is that cyber criminals do not buy a Dun & Bradstreet list and only target businesses of a certain size. They use bots to attack vulnerabilities wherever those vulnerabilities exist regardless of a business' size. Human decision making is not involved at that level. If every client could be attacked and yet few have adequate coverage whether because they did not buy it or because the producer failed to offer it, uncovered claims will result and lead to E&O claims.
Cyber is different too because when selling it, one should not simply offer, Cyber -- check here. The policies vary too much. In the program I built, we identify a minimum of 12 kinds of cyber. There is no such thing as one kind of cyber coverage, there are at least 12. One prominent carrier has identified 13. Instead of offering, "Cyber," one needs to offer 12 or 13 kinds of "Cyber." Offering just one type is likely insufficient to ward off an E&O claim or better yet, provide clients with the coverage advice they truly need.
Do not wait for carriers to educate you. They have their heads stuck so deep in the sand they do not understand that a regulatory order is not optional. Get your cyber education NOW or perhaps consider advising your clients that you do not sell cyber because it is beyond your ability.
NOTE: The information provided herein is intended for educational and informational purposes only and it represents only the views of the authors. It is not a recommendation that a particular course of action be followed. Burand Insurance Education, Burand & Associates, LLC and Chris Burand assume, and will have, no responsibility for liability or damage which may result from the use of any of this information.
None of the materials in this article should be construed as offering legal advice, and the specific advice of legal counsel is recommended before acting on any matter discussed in this article. Regulated individuals/entities should also ensure that they comply with all applicable laws, rules, and regulations.