If you were hit by ransomware, you are part of the rapidly growing number of organizations that have had to decide how to respond — legally, quickly and often quietly. The veil of silence that shrouds many businesses’ response and recovery makes leveraging best practices at that moment all the more difficult. Many businesses and their advisors face hurried, whispered conversations due to threats from the attackers, demand for payment in short timetables, concern about influencing company valuations or scaring off customers, and confusion regarding what is allowed and what is required. Reviewing legal requirements, considering how others have approached these challenges and consulting government guidance up front won’t eliminate the pain, but it can certainly help mitigate it.
While typically thought of as a security challenge, ransomware is increasingly become a privacy concern.
As organizations became better prepared to recover independently through frequent backups, the attackers shifted tactics. Today, ransomware gangs increasingly deploy “double extortion” schemes through which they not only encrypt data, locking organizations out of their own files and systems, but also exfiltrate the data itself, threatening to release personal and proprietary data, recognizing the liability and brand damage that it can cause. This threat means companies must also consider their responsibilities under countless data breach and privacy regulations. Sometimes, it means they are also more likely to pay.
Governments and organizations are working urgently to reduce the proliferation of and damage caused by ransomware. Pursuing policy recommendations and risk-mitigation strategies toward that end are paramount. While prevention is a prerequisite, once an organization has girded itself against ransomware, it must consider what to do if and when an attack is successful. Developing a ransomware playbook tailored to the unique business context after considering legal requirements and industry benchmarks is now a must. Following are some high-level considerations, focused on the U.S. context, and further resources worth consulting.
What does the law require?
Reporting requirements
U.S. law does not currently mandate across-the-board reporting of ransomware attacks, though the Biden administration and legislators have championed increased reporting requirements. However, publicly traded companies are required to file periodic reports with the U.S. Securities and Exchange Commission on a range of issues, including material risks to the business. In 2018, the SEC published guidance explaining the disclosure requirements concerning material cybersecurity risks and incidents. The guidance provides, in part:
"The materiality of cybersecurity risks or incidents depends upon their nature, extent, and potential magnitude, particularly as they relate to any compromised information or the business and scope of company operations. The materiality of cybersecurity risks and incidents also depends on the range of harm that such incidents could cause. This includes harm to a company’s reputation, financial performance, and customer and vendor relationships, as well as the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-U.S. authorities."
In practice, this can result in carefully worded press releases referenced in Form 8-K or 6-K filings with the SEC. While the SEC reported several years ago cyber-attacks were significantly underreported in company filings, that trend seems to have shifted as ransomware attacks surged. Today, more organizations are reporting at least the forward-looking risk posed by ransomware. We may see even greater reporting in the future, as the SEC recently announced planned rulemaking regarding cybersecurity risk disclosures.
The U.S. Federal Bureau of Investigation also encourages companies to report ransomware incidents to local FBI field offices. The FBI explained its role is to investigate threats and it does not intentionally provide such information to regulators.
Data protection and breach notification requirements
When personal data is involved, one of the first questions privacy professionals receive is whether the attack triggers data breach notification rules. The answer often requires a case-specific assessment, which turns on whether data was accessed or exfiltrated, the type of personal data at issue, and the jurisdiction under which it is processed.
In the U.S., all 50 states and three territories have a data breach notification law. The threshold for notification varies across these 53 laws. It can hinge on whether “unencrypted personal information” was “acquired by an unauthorized person,” as in California; whether the “acquisition” of such data “causes … or will cause, identity theft or other fraud” as in Virginia; whether the breach involves “sensitive personal information” as in Texas; or a host of other factors across state laws.
U.S. federal sectoral privacy laws also come into play. U.S. interagency guidance for financial institutions under the Gramm-Leach-Bliley Act outlines notification and reporting thresholds similar to those under state rules. The GLBA guidance states that an organization should notify its primary federal regulator when an incident involves “unauthorized access to or use of sensitive customer information” and notify the customer if it also “determines that misuse of its information about a customer has occurred or is reasonably possible.” The standard under the U.S. Health Insurance Portability and Accountability Act is more complex. The U.S. Agency for Health and Human Services published ransomware guidance stating encryption of protected health information, even without exfiltration, constitutes a breach, but breach notification is not necessary if the covered entity can demonstrate “there is a low probability that the PHI has been compromised.” In assessing whether it has been compromised, organizations must consider “whether the PHI was actually acquired or viewed,” among other factors, but should also consider whether there is a high risk to the integrity or unavailability of the data.
When operating outside of the U.S., organizations must similarly conduct fact-specific assessments according to the rules in each jurisdiction. In the European Union, for instance, the General Data Protection Regulation requires notification for when a security breach leads to “the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data” unless it is “unlikely to result in a risk to the rights and freedoms of natural persons.” Regardless of whether personal information is involved, the EU’s Directive on Security of Network and Information Systems requires operators of essential entities to report incidents that significantly impact the continuity of the essential service they provide.
The legality and efficacy of paying
In the wake of an attack, corporate leaders must decide whether they can and should pay the ransom demanded. They will face lots of questions and considerations, most of them subjective.
- Will paying the ransom produce the desired result? Does the attacker’s track record suggest it will provide a workable decryption key? (The FBI cautions there is no guarantee.)
- Is paying the ransom the most efficient and cost-effective means to recover versus restoring from backups?
- Will paying incentivize future attacks against the organization or others?
- How will paying the ransom (if disclosed or discovered) be perceived by customers, shareholders or other interested parties?
Each of these considerations is important, but the threshold question for almost all companies is:
- Is paying legal?
In the U.S., paying the ransom is legal in most circumstances, while officially discouraged by the U.S. government. One major exception is that it is illegal to pay (or facilitate payment to) an entity on the Office of Foreign Assets Controls’ Specially Designated Nationals and Blocked Persons List, other blocked persons, and those covered by comprehensive country or region embargoes. OFAC issued an advisory in late 2020 warning companies of the risk and liability associated with violating OFAC regulations either knowingly or unknowingly.
Anecdotally, however, U.S. officials have also explained that while discouraged, to pay or not to pay remains a business decision based on the factors above and many others. In fact, during a July 2021 Senate Judiciary Committee hearing, FBI Cyber Division Assistant Director Bryan Vorndran advised lawmakers against adopting a ban on ransomware payments, explaining that it could subject companies to further blackmail for withholding information on illegal payments.
While this piece has focused on U.S. developments, other countries, including France and Australia, are actively considering ransomware payment bans or payment disclosure requirements. As a result of this rapidly shifting landscape, companies will need to carefully consider current rules in the jurisdictions in which they operate.
How have others approached this challenge?
The full magnitude of the ransomware scourge is impossible to quantify given the lack of reporting obligations and shadowy nature of ransomware payments. The difficulty tracing cryptocurrency payments has not only made measurement difficult, it has served as a major enabler of ransomware. Crowdstrike found half of 2,200 IT decision-makers it surveyed in 2020 had been hit by ransomware and 27% chose to pay the ransom. Estimates of average ransom payments over the past year ranged from $54,000 to more than $1 million depending on the source. According to Coveware, the average downtime for organizations subject to ransomware in the fourth quarter of 2020 was 21 days. The average time to full recovery was many multiples of that: 287 days according to Emsisoft. Suffice it to say, the cost of attacks is multiplying quickly.
When an attack occurs, organizations must be prepared to respond immediately. Business leaders should have a general understanding of the response and recovery plan, considerations, and decision points well in advance of needing to execute it. The U.S. Cybersecurity Infrastructure Security Agency offers one of many helpful checklists to guide the development of an internal ransomware response playbook. Following are a few key considerations for organizations developing such plans, offered with thanks to those who shared their own experiences.
- Cyber insurance has become a must. Business leaders should understand their coverage for the full range of potential costs, including system downtime, business interruption, necessary notifications or credit monitoring, potential ransom payment, and any litigation that could result. Insurers may provide a list of cybersecurity firms from which organizations can choose to guide them through assessment, response and recovery. Identifying a firm to work with in advance, should the need arise, can help improve response time.
- Organizations should identify a rapid response team and develop an internal and external communications strategy (to the greatest extent possible) in advance of an attack. The response team will likely include the chief executive, technology officer, financial officer, privacy officer, operating officer, human resources officer, communications officer, general counsel and at some stage the board (as applicable). The organization’s ransomware playbook should include emergency phone numbers in case email systems are locked and contact information inaccessible.
- The chosen cybersecurity firm can work with the internal IT team to conduct a wide-ranging but rapidly executed assessment to help inform the business’s decision on how best to restore operations. They can assess the impact and nature of the attack, the systems, data types and files impacted, whether data was accessed or exfiltrated, and the history and sophistication of the attacker. They can also help business leaders consider the viability, speed and cost of recovery from backups in comparison to the cost, viability, and reliability of recovery by paying the ransom for decryption. Some cybersecurity firms can help negotiate down the ransom payment on behalf of the business, assist with making the cryptocurrency payment and optimize the efficiency of the key as they work to decrypt files.
- Organizations should carefully document their assessment, response and recovery steps. This documentation will help to inform necessary reporting, notification, law enforcement or regulatory scrutiny, insurance recovery, and future preparation.
What’s next?
The considerations discussed above are far from exhaustive and the landscape is shifting quickly. While cyber insurance is increasingly viewed as a critical risk-mitigation measure, it has become more difficult to acquire. Premiums have increased and many carriers now demand baseline security protections. Disclosing such coverage in SEC filings or elsewhere is also perceived as risky. This was made painfully clear by one threat actor who publicly acknowledged going after those with coverage. The fact that insurers play such a central role in ransomware response has led some to suggest they should be banned from covering ransom payments, which could encourage further attacks, while others acknowledge the helpful role insurers can play in improving organizational preparedness.
We will continue to watch this space as policymakers and organizations develop new strategies to prevent, avoid and respond to ransomware.
Photo by Michael Geiger on Unsplash