United States: NYDFS Answers Age Old "To Pay The Ransom Or Not Pay The Ransom" Question With Definitive DON'T

As we have been writing over the past year, COVID-19 has presented a huge opportunity for hackers to wreak havoc on businesses and consumers. While confidentiality of data is usually the focus with such data breaches, system and data access is also at risk of attack by these same threat actors. We have seen this play out on a national scale the past couple of weeks with the pipeline shutdown due to ransomware.

According to the New York Department of Financial Services ("NYDFS"), insurance claims resulting from ransomware increased by 180% between 2018 and 2019, and almost doubled that amount in 2020. (Indeed, the pipeline company paid a ransom of $4.4 million.) As a result, the U.S. cyber insurance market was $3.15 billion in 2019 and is expected to exceed $20 billion in the next five years. And just recently, a carrier announced it would no longer pay out for ransomware claims in France. Earlier this year, in response to the increase in ransomware attacks, the NYDFS issued seven best practices ("Framework") that insurers should adopt, including a recommendation that insurers should stop paying ransom payments. Insurers should be aware of what the Framework entails and what this means for them when implementing cybersecurity programs and trying to obtain insurance coverage in the future.

Ransomware Payments

Ransomware is a type of malicious software that bad actors use to target businesses, large and small, that will infect a computer or the business's network and completely restrict the business's access to its network. Ransomware can also be used to acquire business information, such as proprietary information and customers' or employees' personal information. The bad actor will then demand payment (the ransom) in order to restore access to the network or return the stolen information alongside a promise to permanently delete and not to publicly release such information.

Businesses and insurers may choose to pay such ransoms in order to quickly regain access to their systems. Often this takes the form of a cost-benefit analysis where the business or insurer evaluates the costs and risks associated with paying a bad actor with an established history of honoring ransom payments. However, the NYDFS, FBI, and the Office of Foreign Assets Control state that the payment of the ransom likely does more harm than good. Payment of the ransom "fuels a vicious cycle of ransomware, as cybercriminals use them to fund ever more frequent and sophisticated ransomware attacks." Additionally, in the many cases of data extortion in 2020, the stolen information was still publicly released even after the ransom was paid.

Moreover, the NYDFS notes that the majority of cyber risk is largely attributed to the business's cybersecurity program. In many cases, the NYDFS observed that businesses use insurance payments to fill in the gaps of their cybersecurity programs instead of reviewing and improving its programs. If insurers do not effectively review the insured businesses' cybersecurity program and measures, the insurers will ultimately bear the risk.

Although ransom payment may fuel other ransomware attacks, businesses will likely still want to pay, or pressure insurers to pay, the ransom due to the immediate harms associated with disruption of operations. Businesses may want to make the payment in order to quickly get back up and running and minimize any loss resulting from such downtime.

Avoiding the Ransom

To avoid agonizing over whether to pay the ransom or not, businesses would be well-advised to identify data governance practices that can eliminate the need to rely upon bad actors to restore data. For example, establishing a routine, enterprise-wide data backup plan can allow businesses to simply restore their information systems from a point prior to the ransomware attack to rebuild their missing data. Likewise, even if a bad actor exfiltrated the data, making sure all sensitive data (such as Social Security numbers, driver's license numbers, credit card information, dates of birth, etc.) are encrypted both in transit and at rest can reduce the risk that such data will be dumped on the internet for all to see.

In addition, crowdsourced resources such as nomoreransom.com provide reconnaissance information on nascent ransomware attacks, which trained Information Technology professionals can use to thwart, avoid, and even decrypt certain attacks. Always consult with counsel and a qualified IT forensics firm prior to engaging with ransomware bad actors.

Plan Ahead

All in all, nothing beats an incident response plan. An incident response plan is a document that businesses can use to identify, prior to an incident, how best to respond to a disruption such as ransomware. Building an incident response plan, with your organization's culture and capability in mind, while training on that plan, can help put businesses far ahead of the curve when (not if) ransomware strikes. Engaging in table-top exercises that run through various security incident scenarios can also help make any business more prepared.

Bad actors only grow more sophisticated with time and resources. Inevitably, businesses will often feel a need to move fast when faced with a ransomware disruption to operations. These feelings and tendencies are only exploited by bad actors offering you relief for a price. Be sure that your organization slows down to understand the benefits, risks, and impact of incident response preparedness.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.