Ransomware is a national security issue that affects all sixteen critical infrastructure sectors, including the transportation and healthcare sectors.
Over the past year, ransomware attacks have made major headlines. In May 2021, Colonial Pipeline - which transports 100 million gallons per day of gasoline, diesel, and jet fuel - was shut down due to a ransomware attack. The company paid a ransom of $4.4 million. In June 2021, JBS - the largest meat production company in the world - was shut down due to a ransomware attack, and it paid a ransom of $11 million.
These are not isolated incidents. According to one source, the U.S. suffered 65,000 ransomware attacks in 2020 alone. The Department of Health and Human Services reports that in 2020, there were 80 ransomware incidents affecting 560 healthcare organizations, which caused ambulances to be rerouted, radiation treatments to be delayed, and loss of access to medical records. Similarly, an IBM report reveals that in 2020, the transportation industry was among the top 10 most cyberattacked industries.
In 2020, ransomware payments reached over $400 million. A leading cybersecurity company reports that in 2020, the average ransomware payment was over $300,000, and the highest ransomware payment was $30 million.
Recently, President Biden issued an Executive Order on Improving the Nation's Cybersecurity and observed that "Protecting our Nation from malicious cyber actors requires the Federal Government to partner with the private sector. The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace." President Biden also issued a memorandum about the need to improve cybersecurity for critical infrastructure control systems.
To address the ever-growing problem of ransomware and other
forms of cyberattacks, Congress has introduced a spate of bills
this year. Among them:
- The Cyber Incident Notification Act of 2021 amends
the Homeland Security Act of 2002 and requires companies in
critical industry sectors, including the transportation sector, to
notify the Department of Homeland Security within 24 hours of a
cybersecurity intrusion event. Companies that violate this Act may
be assessed a civil penalty as high as 0.5 percent of the
entity's gross revenue for the prior year for each day the
violation continued or continues.
- The Cyber Response and Recovery Act of 2021 amends
the Homeland Security Act of 2002 and establishes a $20 million
cyber response fund for private and public entities to respond and
recover from cyberattacks. The funds may also be used for technical
assistance, threat detection, and network protection.
- The Infrastructure Investment and Jobs Act is a
five-year surface transportation reauthorization bill that includes
a cybersecurity enhancement and resiliency grant program for
Whether a variation of any of these bills ultimately passes into law remains to be seen. We will continue to monitor these bills. In the interim, we recommend that our clients be proactive with their cybersecurity efforts and encourage the following:
- Review the Cybersecurity and Infrastructure Security
Agency's Ransomware Guide (September 2020);
- Evaluate contracts with vendors that provide cybersecurity
services and determine the vendor's liability when there is a
ransomware attack or data breach;
- Evaluate contracts with vendors that provide third party
services and manage confidential customer or patient information
(e.g., birthdates, social security numbers, credit card numbers,
and medical records) and determine the vendor's liability when
there is a ransomware attack or data breach;
- Evaluate contracts with customers to determine whether
cyberattacks may be characterized as force majeure events;
- Weigh the costs of purchasing cyber liability insurance
policies to mitigate financial losses from business interruptions,
data theft, and ransom payments;
- Scrutinize the scope of any existing cyber liability insurance
policies and understand what is (and may not be) covered under the
- Cultivate relationships with IT consultants and forensic data
experts who have experience dealing with cyber-attacks;
- Develop an incident response program;
- Regularly run awareness and training exercises throughout the
- Frequently create and store backup data offline; and
- Continuously invest, install, and audit multiple systems that may prevent or reduce cyber attack incidences (e.g., multi-factor authentication, regular software patches, installation of anti-malware software, and utilizing a firewall).
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.