The Treasury Department is asking questions about how to boost the insurance industry around cyber terrorism. Specifically focused on potential changes to programs established in the wake of 9/11, the focus is quote “Gathering additional data about coverages and losses—including to ransomware—would help assess the adequacy.” The comment period seeks feedback within 45 days.
Quoting from NextGov, “A comprehensive review of the Treasury program is expected this spring, a Government Accountability Office official told Nextgov. Treasury is navigating a narrow course between trying to work with insurers to gather data on ransomware payments and warning insurance companies and other financial third parties that they run the risk of violating sanctions by making such payments—due to the probability of attacks being sponsored by adversarial regimes, such as Russia. End quote.
Treasury noted that quote “one of the most important mitigation criteria is whether the victim the company has engaged federal law enforcement prior to paying the ransom.”
Why do we care?
This is a small but significant story. I’ve covered changes and concerns in the insurance industry related to cyber coverage multiple times now. The problem is large enough that regulators are looking into it. That’s not a bad thing.
The attacks are crimes. Why wouldn’t law enforcement be involved? And to be involved, of course, regulators need to be investigating.
Here’s your comment period – and in particular, those consuming or advocating for their customers should be paying attention here.