Cyber extortion – legality of ransom payments and the approach of businesses and insurers
Sami Paracha of Taylor Wessing has an article on cyber-extortion and ransom demands from a UK perspective. It makes for interesting reading. The article begins:
Cyber Security is an omnipresent risk for most businesses. And it is a growing risk given the more frequent and serious cyber attacks, higher costs for proactively managing these risks (or curing a cyber security breach), and potentially higher fines following a breach with implementation of the GDPR on the horizon. The approximately 500 million recently compromised Yahoo accounts are a pertinent reminder of these risks. CFC Underwriting has also recently commented that it is being notified of claims under its policies at a rate of more than one a day, particularly from SMEs with revenue under £50m and “ransomware” is behind a significant number of claims.
Cyber extortion, including threats and/or ransom demands connected with cyber attacks, is a risk which can cause great uncertainty for businesses – particularly in relation to how the extortion threat should be handled, for example, whether a ransom demand should be paid, whether such payment is legal and whether insurers may cover the ransom payments.
Read more on Lexology, and ask yourself whether you know if your insurance policy would cover a ransom or extortion demand, and under what conditions. Of course, that’s a somewhat separate question of whether entities should pay a ransom demand, and the questions Paracha raises are the same ones we’ve seen elsewhere, i.e., they do not appear to be country-specific.