Will FinCEN’s Crypto Conundrum Hurt Ransomware Victims?

/in


Ransomware was invented 30 years ago when an AIDS researcher mailed between 10 and 20 thousand 5.25 floppy disks emblazoned with the name “AIDS Information Version 2.0,” to people and business around the world. Over the past 30 years, much has changed including our use of computers which now, instead of being attached to cathode ray television sets, fit into our pockets. The trajectory, from floppy disks in the 80’s, to e-commerce by the early 2000s, has culminated in the minting of digital money. Since then, as the use of cryptocurrency has grown, other industries have grown with it. One industry, often overlooked, is ransomware. Ransomware is a plague on businesses world-wide. Indeed, the  U.S. government recommends not paying these ransoms. New guidance, however, issued by the Financial Crimes Enforcement Network (“FinCEN”) to the industry in late 2020, takes this too far; it threatens to impose sanctions on the insurance industry that has bloomed around cyber crime and will likely hurt the victims, not the criminals.

Ransomware is Everywhere

“Today, ransomware is a booming business for cyber criminals, making cyber insurance a business imperative.” Says Bridget Choi, the General Counsel of Kivu Consulting, a digital forensic-incident response (“DFIR”) firm, who leads their regulatory program. “Since the dot.com boom, cyber insurance has become a billion-dollar industry.” Originally designed to be a risk transfer should a network go down and a business lose revenue, cyber insurance is now frequently used to protect against and respond to ransomware attacks. And cyber insurance claims happen to be an excellent metrics for tracking these cyber-attacks. “As recently as 2013, the large cyber-claims were typically well-known data or payment card data security breaches,” explains Choi. “With the growth of digital payments and cryptocurrency, the cyber threat landscape has changed.” Indeed, the FBI estimates that “$144.35 million in Bitcoin have been paid” for ransomware attacks between 2013 and 2019. Estimates for ransomware payments for 2020—based in part on the surge in remote work spurred by COVID-19—reached…

Source…