To put it simply, ransomware is a huge problem. Over the last several years, ransomware attacks have become more frequent, more complicated, and more expensive. Government institutions, publicly traded corporations, and small businesses have all been regular targets of ransomware attacks. The criminals don’t discriminate when it comes to choosing their victims, and 2020 saw a huge surge in the prevalence of ransomware attacks as businesses scrambled to move their employees to remote working environments. In a recently published report, Washington, DC-based cybersecurity firm PurpleSec estimated the total global cost of ransomware attacks in 2020 at $20 billion, up from $11.5 billion in 2019.
Ransomware, a form of malware in which the criminal encrypts files or locks users out of their own systems, initially saw a resurgence as cryptocurrency, such as Bitcoin, became more prevalent and available—since cryptocurrency provided an easier and less traceable way to pay ransoms. In order to gain access to the encrypted files or locked systems, businesses either needed to pay the ransom so that the criminal would provide them with the key to access their data, or they needed to have good back-up systems so they could restore their otherwise inaccessible data. Within the past two years, however, ransomware has evolved to combat businesses improving their back-up systems. Specifically, in addition to ransomware, criminals are now frequently launching other malware to actually take data, which they then threaten to publish or sell if the business refuses to pay the ransom.
The ongoing dilemma for victims of ransomware attacks is: do you pay the ransom or not? It’s becoming more common for law enforcement and government agencies to encourage businesses not to pay the ransom.
The long-time stance of the FBI, and other law enforcement agencies, is that victims should never pay a ransom. From their perspective, paying the ransom both emboldens the criminals to commit further attacks and also finances the criminals to make additional and more sophisticated attacks. As we reported in October 2020, the US Department of Treasury stated that victims of ransomware attacks that pay ransoms, and any insurance companies or intermediaries that facilitate such payments, could face civil penalties if the criminal actor turns up on a US list of “banned” cybercriminal organizations.
Earlier this month, the New York Department of Financial Services (DFS) joined that position when it issued a guidance to insurance companies containing the same recommendation (or perhaps warning) that insurance carriers should avoid issuing policies that require or allow for payment of ransoms. The guidance noted that ransomware attacks reported to DFS doubled from 2019 to 2020, and that insurance claims relating to ransomware attacks tripled between early 2018 to late 2019. The guidance further encouraged insurance carriers to develop a “rigorous and data-driven approach to cyber risk” and noted that “insurers that don’t effectively measure the risk of their insureds also risk insuring organizations that use cyber insurance as a substitute for improving cybersecurity, and pass the cost of cyber incidents to the insurer.” In other words, the DFS is encouraging insurance companies to actively evaluate the cybersecurity measures employed by their insureds before, or in association with, issuing policies so that insurance is not acting as just a loss buffer for businesses that fail to take appropriate cybersecurity precautions.
Although the DFS guidance is not legally binding and there have been no reported cases of the Department of Treasury issuing penalties to victims of ransomware, the proverbial writing is on the wall, or at least a rough outline is. The first effective way to combat the continued growth of ransomware is to cut off its profitability to the criminals. The other way to combat ransomware is for businesses to invest in strengthening their cyber defenses rather than paying ransoms or relying on insurance coverage to pay for the consequences of an attack after the fact (or simply hoping they don’t suffer a cyberattack), and paying a ransom will not be looked upon kindly if the business didn’t take appropriate steps to protect its data.
This is a consistent theme throughout the cybersecurity and data privacy landscape. Governments and their regulatory agencies are continuing to expand their reach into cybersecurity through the passage of new laws and regulations that set specific, or at least minimum, standards that businesses must achieve to protect their sensitive data and systems. Although they are the victims of sophisticated cyber criminals, businesses will face more and harsher scrutiny from government regulators (and in civil lawsuits) for cyberattacks that expose private information of the business’s clients, customers, patients, or employees.
It is more important than ever for businesses to make cybersecurity a prominent aspect of their business plans. Conducting proper cybersecurity risk assessments and training, developing appropriate data protection and breach response policies and procedures, and ensuring that contracts and business transactions take into account cybersecurity risks and requirements are not just good ideas and should not be undertaken just because they are required by law (which is increasingly the case). Rather, businesses should view these steps as an investment in the future of business and as a competitive necessity. In a data-driven world, businesses that have developed cybersecurity programs can, and should, tout their dedication to protecting both their confidential information and their customers’ private data as good reason to invest or do business with them.
If you have any questions regarding the content of this alert, please contact Nick DiCesare, Cybersecurity Team co-leader, at ndicesare@barclaydamon.com, Kevin Szczepanski, Cybersecurity Team co-leader, at kszczepanski@barclaydamon.com; or another member of the firm’s Cybersecurity Team.