Ransomware state of the union: regulations, trends and mitigation strategies

REUTERS/Kacper Pempel

October 14, 2021 - Ransomware attacks have dominated the cybersecurity headlines in 2021. New attacks have made headlines throughout the year as attackers have adopted increasingly sophisticated strategies to maximize the impact on business operations and exfiltration of sensitive information. Regulators have recently taken multiple actions to help financial institutions combat the significant threats posed by these attacks.

This article highlights the current trends in ransomware attacks, discusses several of the recent actions taken by regulators, and provides some proactive measures and mitigation strategies that companies can implement to best prepare themselves for potential ransomware attacks and to avoid the regulatory scrutiny and potential litigation that may follow.

Current trends

Ransomware attacks have evolved significantly over the last several years and continue to do so. Threat actors have shifted tactics from often only encrypting a company's systems to a hybrid attack that includes locking down a company's network and also exfiltrating the company's data.

The number of threat actors launching attacks has also dramatically increased due to the development of "ransomware-as-a-service" where ransomware variants are licensed to individuals and accomplices to execute attacks. The resulting emergence of new attackers has led to increased uncertainty and volatility for companies in responding to attacks due to the lack of information on the growing number of ransomware threat actors.

It is not surprising that this evolution of ransomware attacks has also resulted in an increase in both the total costs and the amount of time that it takes for companies to discover and respond to incidents. According to IBM Security's 2021 Cost of a Data Breach Report, the average cost for a data breach in the U.S. in 2021 is $9.05 million, up from $8.64 million in 2020. The same study also showed that it takes a company an average of 287 days to identify and contain a data breach.That’s longer than an entire NFL season. It is estimated that ransomware attacks will cost the global economy $20 billion in 2021, according to Cybersecurity Ventures.

This perfect storm of increased risk, cost and regulation has resulted in a hardening of the cyber insurance market. Companies are facing significant rate increases and/or reduction in limits for cyber insurance as insurers counter the exponential rise in claims and potential exposure. Some insurers are also creating sublimits for ransomware payments and increasing underwriting standards for the cybersecurity practices and protocols that companies must have in place. Other insurers are requiring the specific provisions and protocols are followed before a ransomware payment may be covered. The end result is the foregone conclusion that cybersecurity is a critical business issue that must be a priority for every single company.

New regulatory guidance

In response to the current threat landscape, multiple regulators have issued statements that cybersecurity will be a regulatory priority, especially for financial services companies. This includes guidance on how companies can counter cyberattacks and legal considerations in making ransom payments.

OFAC advisory on ransomware payments

In September, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) issued an updated advisory on paying ransoms and the risk of potential sanctions that companies face in making such payments.

The new advisory was issued by OFAC contemporaneously with an announcement that it had placed SUEX, a cryptocurrency exchange, on its Specially Designated Nationals and Blocked Persons List (SDN List) due to its involvement in facilitating ransom payments to threat actors that amounted to over 40% of its transaction history. The advisory highlights, among other things:

(1) Discouragement of ransom payments: The advisory reiterates the long-standing position of the U.S. government that the payment of ransoms is strongly discouraged.

(2) Cooperation with law enforcement is a mitigating factor: In the event that a company makes a ransom payment to an organization on the SDN List, OFAC states that it would consider a company's self-disclosure of a ransomware attack to law enforcement, and ongoing cooperation during and after the attack, as mitigating factors.

(3) Need for a sanctions compliance program and security controls: Finally, the advisory encourages companies to implement a "risk-based compliance program to mitigate exposure to sanctions-related violations." Notably, the advisory states that this applies to organizations that help companies respond to ransomware attacks, including cyber insurers, forensic companies and other entities assisting with incident response.

SEC and FINRA examination priorities

The U.S. Securities and Exchange Commission (SEC) and the Financial Industry Regulatory Authority (FINRA) have each published reports outlining regulatory examination priorities for 2021. Both regulators have placed an increased emphasis on cybersecurity in recent years. The SEC's report focused on companies improving responses to cyberattacks and identifying potential risks within their environment. FINRA's report highlighted potential vulnerabilities and outlined recommended practices for member firms to implement in their compliance programs. Both organizations noted the sharp increase in remote operations due to the pandemic and the rise in cyberattacks which has led to amplified concern over the security of sensitive information.

FINRA's report observed continued vulnerabilities related to companies not providing comprehensive training to personnel and third-party providers on cybersecurity risks, not encrypting all confidential data and not adopting proper data loss prevention programs. The report cited inadequate supervisory oversight for application and technology change management (including upgrades, modifications to vendor systems or integration of firm or vendor systems).

FINRA also noted the increased numbers of cybersecurity incidents at firms — including ransomware attacks — and recommended that firms address proper risk management programs. This includes a collaboration across multiple departments to address key risk areas, monitor access and entitlements, and investigate potential violations of firm rules or policies with regard to data access or data accumulation.

NYDFS industry guidance

The New York Department of Financial Services (NYDFS) also issued Industry Guidance noting that ransomware attacks increased 300% in 2020 and concluding that "the rise of ransomware has been fueled by the ever-growing payments made by ransomware victims," because those payments are used to fund more frequent and more sophisticated ransomware attacks.

The NYDFS's guidance studied 74 total ransomware attacks reported between January 2020 and May 2021 and discovered that a ransom was paid in 17 of those attacks (23%). The most common techniques used by the threat actors to gain access in those cases were phishing attempts, unpatched vulnerabilities, and poor remote desktop protocols.

Like many other regulators, the NYDFS recommends against paying ransoms and, instead, instructed companies adopt a "defense in depth" strategy layering multiple security controls within their environment.

The current trends and recent regulatory guidance described above reinforce the fact that it is imperative for companies to adopt sound mitigation strategies to plan for and defend against ransomware attacks. The following are some best practices that companies should consider adopting to adequately protect sensitive information and mitigate the numerous potential risks:

(1) Engage in a data mapping exercise: Every company should conduct a data mapping exercise to understand, among other things, the type of information it collects, where it is stored, and how it is used. One of the most critical steps in responding to and mitigating risk from a cyberattack is having a fundamental understanding of the data.

(2) Review data security controls: The recent regulatory guidance highlights a number of the recommended controls companies should have in place, including multi-factor authentication, encryption, and endpoint protection.

(3) Evaluate incident response planning: Every company should review its incident response plan to ensure that it is representative of team members from multiple departments and appropriately addresses the current cyber threats to the company. Every plan should be tested at least annually through a tabletop exercise which may involve outside counsel or third-party vendors.

(4) Analyze cyber insurance coverage: Considering the seismic shifts within the insurance market, every company needs to ensure that it has sufficient cyber insurance coverage and an understanding of what is or isn't covered under that policy.

(5) Address vendor management protocols: Third-party vendors present one of the biggest cyber risks to any company. Every company should review its vendor management program to: ensure that vendors are required to have appropriate security controls in place to protect sensitive information; ensure that all written agreements with vendors contain provisions addressing cybersecurity risks, including insurance coverage; and audit vendors periodically to verify that any required controls are in place.

A company's strategy needs to be proactive by addressing these issues and considerations in advance of an attack. At the same time, companies need to be prepared to respond to an incident in real-time. Critical to this preparedness is creating a practical, useful and updated incident response plan, testing that plan, and then incorporating lessons learned and retesting.

Experienced cybersecurity attorneys can be critical in assisting companies with cyber incident preparedness efforts, including developing and revising incident response plans and working to conduct a tabletop exercise to test the plans. Each of these activities can help ensure companies are as prepared as possible in the event of a cyber incident.

CORRECTION: This article has been corrected to provide attribution to Cybersecurity Ventures for the statement that ransomware attacks will cost the global economy an estimated $20 billion in 2021.

Opinions expressed are those of the author. They do not reflect the views of Reuters News, which, under the Trust Principles, is committed to integrity, independence, and freedom from bias. Westlaw Today is owned by Thomson Reuters and operates independently of Reuters News.

Alex Koskey, an attorney in Baker Donelson's Atlanta office, is a Certified Information Privacy Professional and represents financial institutions and organizations on data privacy, regulatory and compliance, and litigation matters. He can be reached at akoskey@bakerdonelson.com.

Matt White, a shareholder in the Memphis office of Baker Donelson, advises clients on cybersecurity and data privacy issues. He is a Certified Information Privacy Professional (CIPP / US, CIPP / E) and a Certified Information Privacy Manager (CIPM). He can be reached at mwhite@bakerdonelson.com.