If your company is the victim of a ransomware attack and you decide you have no choice but to pay the threat actors, can your cyberinsurer or cyberinsurance reinsurer decline to reimburse you if the threat actors you paid are on Treasury’s sanctioned list? Would reimbursing them expose the cyberinsurer or reinsurer to problems with the U.S. government for not complying with the sanctions? And is just the possibility of experiencing consequences from the U.S. government for reimbursing payment to those on the sanctioned list enough to justify refusing to reimburse the insurer?
A case in Switzerland answered those questions in a way that is likely to make cyberinsurers and reinsurers unhappy. Jacques de Werra and Célian Hirsch discuss the myriad issues raised in this case and the decision in Judgment of the Federal Supreme Court of 17 August 2023.
The decision may seem disappointing to those who hoped that the fear of paying a sanctioned entity would dissuade victims or their insurers from paying.
Although this case would not be precedential in the U.S., and the facts of each case will be different — including how difficult it may be to demonstrate linkage between the threat actor who was paid and the party or group listed on the sanctions list — it is not clear what impact it may have on cyberinsurers or reinsurers going forward. If the possibility of running afoul of U.S. sanctions is not sufficient by itself to justify refusing to reimburse a victim when it is likely the payee was the party on the sanctioned list, and if the U.S. government has no history to date of penalizing ransomware victims who have paid threat actors on the sanctioned list, then fear of potential consequences may not be a viable argument to justify refusal to reimburse clients.
