Thoughts from the Cyber Risk & Insurance Innovation USA Conference

In the media

Marissa Olsen, Aspen Senior Vice President, Global Head of Cyber Liability Claims, recently spoke on two panels at the Cyber Risk & Insurance Innovation USA Conference in Chicago.

The first panel, Bridging Defenses: Ransomware’s Impact on Cyber Insurance Strategies, addressed the increasing frequency and severity of ransomware attacks in 2023, but also noted that the number of companies paying ransom dropped in 2023. The panel shared information on the OFAC’s (Office of Foreign Asset Control) requirements related to ransom payments and how cyber insurance can help an insured’s preparedness.

Marissa’s second panel, The Cyber Ecosystem’s Responsibility in Post-Incident Navigation, focused on the post-breach portion of a cyber-attack and ways to minimize downtime. This includes insureds holding pre-breach planning meetings, implementing a protocol for post-incident management, as well as regularly communicating with their brokers. In addition, the panel spoke about how to help reduce the financial impact of cyber incidents.

The following is a Q&A related to information and insights shared by Marissa as a speaker.

What are the OFAC requirements are for cyber ransom payments? The OFAC is part of the US Department of the Treasury. For cyber ransom payments, the OFAC requires that, prior to making a payment to any entity, a search must be done to ensure that the particular entity is not on the OFAC sanctions list. This list includes individuals and companies controlled by or acting on behalf of certain countries, as well as terrorists and narcotics traffickers. Prior to making a ransom payment, it is important a thorough OFAC check is completed to ensure that payment is not made to an entity or individual on that list.

Why had the number of payments decreased in 2023?
As a featured speaker on the panel, we all agreed and hoped that payments decreased because of efforts by the insurance industry (insurers and brokers) to educate insureds on the rationale for not paying ransom. In brief, paying ransom does not reduce the risk of having lawsuits brought against a company that has suffered a breach. This is because, regardless of whether the company pays ransom, it will likely be obligated under the law to notify those individuals impacted by the breach (i.e., their information was seen and/or taken by the threat actor, thus increasing the possibility of an individual’s credentials being sold on the black market), which will put them on notice of the event. In addition, when a company makes a ransom payment, it is literally paying a criminal. This is not positive for the company’s reputation, and there is no way of knowing whether the threat actor will really suppress the data, or if the threat actor will, subsequently, still sell or publish it.

Could you explain how cyber insurance impacts ransomware attacks and how it can help with preparedness?

Although the panel agreed that it was difficult to assert whether having cyber insurance impacts an attack one way or the other, having this insurance does enable the insured to be better prepared.

Although insurance policies are not public, it is assumed that most large corporations have some sort of cyber coverage. Conversely, for exceptionally large corporations, their profits are often public information, and threat actors may assume that those companies have sufficient funds to pay a ransom, regardless of whether the company has a cyber policy in place.

That all said, companies should look at cyber insurance as more than just a policy; it should be a risk management program. For example, Aspen offers certain services to policyholders, such as technical and legal tabletop exercises, cybersecurity improvement plans, ransomware resilience assessments and pre-breach planning meetings to assist in establishing cyber-attack protocols. Having services like these can help ensure preparedness before, during and after an incident.

Could you provide why it’s important to work with brokers?

A key discussion point during the second panel was the importance of pre-breach preparation. This comes in several forms, including tabletop exercises, education and training, and pre-breach planning. When an insured works with its broker and carrier on creating a contingency plan prior to a breach, there is a greater ability to recover more quickly following an incident. In addition to alerting an insured’s key stakeholders, the plan should include notifying both the carrier and breach counsel immediately, as well as vendors that can assist in accessing critical backup systems. Brokers often will advise their clients on preparedness and will collaborate with carriers who have end to end, cyber risk management services available on day one. While it may not necessarily prevent an attack, it can reduce a company’s down-time and profit loss, enabling the insured to react faster and more efficiently, which can reduce any regulatory fines and third-party lawsuits.

Lastly, could you provide several best practices shared during the panels that an insured should do following a cyber incident?

  1. Contact your broker and insurer immediately after an incident.
  2. Create an incident protocol that can be put into place right away.
  3. Seek guidance from counsel early on following an incident.
  4. Maintain updated backups offsite.

Companies should look at cyber insurance as more than just a policy; it should be a risk management program.

Marissa Olsen Senior Vice President, Global Head of Cyber Liability Claims