Do Laws Enacted By North Carolina and Florida Prohibit Ransomware Payments by an Insurer Under a Cyber Insurance Policy?

The short and simple answer is “No,” as long as the insured is not a public agency such as a county or a municipality.  However, there always seems to be possible exceptions at play when it comes to cyber insurance … be aware that pending legislation in the state of New York, if enacted, would prohibit ransomware payments by not only public agencies but also by insurers on behalf of its insureds. 

North Carolina and Florida’s Laws Do Not Prohibit Ransomware Payments by Insurers

With the increasing number of ransomware attacks against state and local government, North Carolina became the first state to prohibit state agencies and local government entities from paying a ransom following a ransomware attack. The state’s law specifically prohibits a state agency or local government entity from submitting payment to a cyber-pirate who breached an IT system by encrypting data and then offering to decrypt it in exchange for a ransom payment.  The law effectively prohibits any negotiations with the cyber-pirates, as it prohibits communications with the cyber-pirate. Instead, the law requires that a government entity that receives a ransom payment demand in connection with a cybersecurity incident must consult with the North Carolina Department of Information Technology.

Later in 2022, Florida passed similar legislation, outlawing ransom payments by a state agency, county or municipality. While North Carolina’s law encompasses universities in its definitions of local government entities and state agencies prohibited from paying a ransom, Florida’s law does not. Furthermore, Florida’s law does not prohibit communication with cyber-pirates demanding a ransom. 

Pending Legislation in New York Would Prohibit an Insurer’s Ransomware Payment on Behalf of an Insured

If passed, the pending New York Senate bill would be the first state law to bar payments by private companies.  As p written, the law would prohibit a business entity [defined as any legal entity that does business in New York] from paying or having another entity pay a ransom on its behalf in the event of a cyber incident or a cyber ransom/ransomware attack.  A “cyber incident” is defined as the compromise of the security, confidentiality, or integrity of computerized data due to the exfiltration, modification, or deletion that results in the unauthorized acquisition of and access to information maintained by a governmental entity, business entity, or health care entity. The law would also apply to cyber ransom or ransomware, defined as malware that encrypts or locks valuable digital files and demands a ransom to release the files.  To promote compliance, the bill provides for a civil penalty of up to $10,000 for any business entity that fails to comply. 

In conclusion, North Carolina and Florida have laws in place that prohibit state agencies and local government entities from paying a ransom following a ransomware attack. However, pending legislation in New York, if enacted, would prohibit private companies, including insurers, from making ransom payments on behalf of their insureds. The proposed New York law would be the first in the nation to prohibit such payments by private companies and would come with a civil penalty for non-compliance.

Copies of the North Carolina statute, the Florida statute, and the pending New York Senate bill can be accessed here.