The legality of cyber extortion payments

Insurers need to be mindful of the risk of breaking the law when making payments in respect of extortion threats.

Introduction

All individuals and legal entities incorporated, located or conducting business within the EU must comply with the EU and UK financial sanctions regime in force. It is a criminal offence to breach a financial sanction. In Mamanochet Mining Ltd v Aegis Managing Agency Ltd the Court was asked to consider the question of the insurability of payments made when a sanctions regime was in place. Insurers had been asked to pay a claim in circumstances where the policy in question excluded the insurer’s payment obligations where that payment would “expose” the insurer to any sanctions. Insurers were ordered to pay the claim; the Court examined the circumstances and drew a clear distinction between “exposure to” sanctions and “a risk” of being sanctioned.

The Mamanochet case is an example of the difficult line sometimes walked by insurers when seeking to ensure that making a payment under a policy does not put them in breach of the general law. Insurers need to consider, both when agreeing the scope of cover and when later making any claims payments, the question of whether any payments made in accordance with their contractual obligations would place them in potential breach of criminal, civil or regulatory rules. Our article on the insurability of fines can be found here; indemnity for fines and penalties is usually excluded for public policy reasons, but many cyber policies offer cover to the extent that fines are “legally insurable”, which can raise difficult coverage questions. It is worth also considering the questions which may arise in respect of cover under various types of policy for losses arising from an extortion threat.

Cover for extortion payments

The payment of a ransom (whether directly or indirectly) is not of itself illegal. Most cyber policies will cover payment of extortion monies, and related costs and expenses (such as forensic IT costs and similar), subject to conditions such as notifying the relevant authorities of any threats and obtaining insurer’s written consent to the payment of a ransom. Similarly, some D&O policies (side C) include cover for direct financial loss incurred as a result of an extortion threat. It is increasingly common for cyber criminals to make a cyber extortion threat, namely to demand monies in exchange for the return of data and/or system access, accompanied by a threat to release stolen data, introduce or activate malware or ransomware or to lock down the victim’s system.

As well as the prohibition on making payments when sanctions are in place, section 17A of the Terrorism Act 2000 forbids insurers from paying a ransom if there is reasonable cause to suspect that the ransom “will or may” be used for causes connected to terrorism. An insurer commits an offence if making a payment “in respect of any money or other property that has been, or is to be, handed over in response to a demand made wholly or partly for the purposes of terrorism, and …the insurer or the person authorising the payment on the insurer's behalf knows or has reasonable cause to suspect that the money or other property has been, or is to be, handed over in response to such a demand.” To the extent that the corporate has committed an offence “with the consent or connivance of”, any “director, manager, secretary or other similar officer” may also find themselves liable. Similarly, if the insurer is aware of payments by an insured which may breach the rules then it commits an offence by not reporting that to the authorities.

Terrorism is defined as an act (including interference or disruption of an electronic system) which is designed to influence government, or intimidate the public, for the purpose of advancing a political, religious, racial or ideological cause. This can create obvious difficulties both for insurers (as well as for the insured who has received the threat). The malicious actors in any extortion situation are usually anonymous, and their underlying aim, together with the ultimate destination of any ransom payments, is usually entirely unknown.

In an often business critical situation, where the insured is clearly very keen to regain its system access, data or similar as fast as possible, there can be little time in which to investigate the potential destination of and use of the funds. As happened in Mamanochet, taking too conservative an approach to the potential risks (resulting in a strict view on coverage) could see insurers facing costly litigation as the result of claims by the insured for breach of contract. It is crucial, however, for insurers to devote some time to considering the question of legality before making or authorising any payment under the policy. Appropriate due diligence needs to be conducted as urgently as possible, in the interests not only of insurers but anyone else potentially at risk of criminal sanctions should any link to terrorism emerge after payments are made. Ensuring that law enforcement authorities are informed and involved at an early stage may assist; not least, acting with “the express consent of a constable” may provide a defence.

In circumstances where the identity of the person(s) issuing the threat is unknown, arguably there is no actual knowledge, or “reasonable cause to suspect”, that the cyber extortion threat comes from someone potentially connected to terrorism. Given that the majority of attacks in recent years appear to be motivated by financial gain rather than ideological purposes, in the absence of anything to suggest otherwise it seems reasonable to assume that there isn’t a link to terrorism.

Conclusion

It is essential for insurers to make appropriate enquiries as to the destination of any ransom payments, and the identity of the cyber criminals, before making any payments to the insured, and to monitor the position as forensic investigations continue. Even if the insured (or any third party making payments on the insured’s behalf) had not committed an offence under the Terrorism Act when paying a ransom, if subsequent information emerges which gives insurers reasonable cause to suspect links to terrorism, it would be an offence then to indemnify the insured under the policy. Insurers will obviously wish to satisfy themselves that they have not inadvertently strayed across the line, with the potentially very serious consequences that would bring both for the corporate body and for any personnel involved in the decision-making around the ransom payment. Similarly, insurers will need to try to ensure that no financial sanctions or asset freezing measures will be breached when making payments. As demonstrated by the Mamanochet decision, insurers must at the same time be mindful of their contractual obligations. This can be a difficult line to walk.

This document (and any information accessed through links in this document) is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from any action as a result of the contents of this document.