One of the most unusual notices that exists in many policies is the OFAC Advisory Notice. This notice, which can function to freeze or block an insurance contract, is rarely considered by claims professionals or insureds. So, what is OFAC?
OFAC stands for the Office of Foreign Assets Control, which is a financial intelligence and enforcement agency operating under the U.S. Treasury Department. The Division of Foreign Assets Control (DFAC), the precursor to OFAC, was created in the 1950s, when China entered the Korean War. DFAC blocked Chinese and North Korean assets that were subject to US jurisdiction. Thereafter, following a 1962 Treasury Department Order, DFAC officially became OFAC. Yet, despite OFACs presence as a governmental entity for over 70 years, little is known about it. Even less is known about OFAC’s relationship to the insurance industry.
In 2018, OFAC mandated an advisory notice restricting claims activities and payments when any person or entity benefiting from the subject insurance policy has violated US sanctions law or is a Specially Designated National and Blocked Person under OFAC. Included in the Specially Designated National and Blocked Persons list are various foreign agents, front organizations, terrorists, terrorist organizations, and narcotics traffickers.
In essence, the advisory mandates that insurers are restricted from issuing payments on claims where a designated entity is involved. Per the terms of the advisory this could include entities that are subject to foreign trade embargoes or sanctions.
Based upon our research, the OFAC advisory has been construed only a few times in the insurance industry. However, there has been increased discussions regarding this notice due to heightened worldwide tensions and international sanctions placed on certain countries, such as Russia, as a result of military activity. Further, the advisory notice would apply to any business or entity that is in violation of human rights, is subject to trade embargoes or sanctions, or is engaged in narcotics trafficking.
Although the advisory notice provides that the insured’s policy can be frozen or blocked if they are found to be in violation of OFAC regulations, neither OFAC nor case law provides clear direction as to what those exact ramifications are. This issue, however, should be considered in regard to any claim where such a designated entity may be involved, either as an insured or as the beneficiary of insurance payment.
Insurers who issue cyber coverage likely face the largest impact from the OFAC advisory notice. In fact, in 2020 the OFAC issued an Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments and issued an updated Advisory regarding same on September 21, 2021. That advisory, a copy of which is also linked to this newsletter, provides that facilitating ransomware payments demanded as a result of malicious cyber attacks may violate the OFAC advisory with respect to payments to those who have violated U.S. sanctions law or are Specially Dedicated national and Blocked Persons. The 2021 Advisory further provides as follows:
OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.
In other words, an insurer who issues cyber coverage runs the very real risk of running afoul of OFAC regulations by issuing payment for any cyber ransom attack without first getting permission from the OFAC. As a result of these risks, insurers offering this type of coverage would benefit significantly by putting into place policies and protocols to ensure compliance with OFAC regulations and to ensure that proper reporting and communication with OFAC take place prior to issuing payment for any cyber ransom attack.
The attorneys at Lether Law Group have been providing insurers with coverage advice and recommendations for more than 30 years. Our experience includes addressing cyber claims and coverage issues under cyber policies. If you’d like to discuss this particular coverage issue or other insurance related issues arising in the ever-changing world of insurance, please feel free to contact our office.