Bates Research | 07-23-21
Coordinating on Ransomware: Federal, State Law Enforcement and Regulators Mobilize
The White House, Congress, and a host of federal and state law enforcement agencies and regulators are mobilizing to combat the threat of ransomware, a type of malicious software used by cybercriminals to “encrypt files on a device, rendering any files and the systems that rely on them unusable. Malicious actors then demand ransom in exchange for decryption.” In the wake of high-profile attacks on commercial and industrial sectors and businesses of all sizes, the Biden administration has made the issue a priority. One official expressed the government’s intention to shift the strategy from incident response to prevention: “from talking about security to doing security." But the sheer size of the cybersecurity problem—by one report, over 65,000 ransomware attacks against U.S. entities in 2020—demands that officials do more and move quicker. Here we highlight some of the recent administrative, legislative and regulatory efforts to confront ransomware.
Executive Action and Law Enforcement
On May 12, 2021, President Biden signed an Executive Order (with accompanying fact sheet) to improve the nation’s cybersecurity. The President pledged to modernize “cybersecurity defenses by protecting federal networks, improving information-sharing between the U.S. government and the private sector on cyber issues, and strengthening the United States’ ability to respond to incidents when they occur.” The Order offered a reminder that “much of our domestic critical infrastructure is owned and operated by the private sector,” and contained a plea to companies “to take ambitious measures to augment and align cybersecurity investments with the goal of minimizing future incidents.”
Federal Agency Cooperation
Two months later, on July 15, 2021, law enforcement from the following federal agencies: the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”), the U. S. Secret Service, the Federal Bureau of Investigation, as well as the Department of Health and Human Services, the National Institute of Standards and Technology, and the Treasury Department’s Financial Crimes Enforcement Network (“FinCEN”) launched a new website, StopRansomware.gov, to share resources among governmental organizations (including state agencies), and to support efforts by the private sector to strengthen their cyber defenses.
The site is to serve as a hub featuring the latest alerts from the participating agencies. It promises sector-specific guidance “for all 16 critical infrastructure sectors vital to the Nation,” including energy, food, healthcare, and information technology—sectors that have been the targets of cyberattacks. Further, the site provides information on cybersecurity training, mitigating cybersecurity risk (CISA is working on a “Catalog of Bad Practices”) and a pass-through mechanism for responding to cybersecurity incidents. The website itself is a demonstrable attempt at fulfilling the goal of the Executive Order and, if used, should become an important resource for governmental entities and the private sector. (Another demonstration of outreach and education is Treasury’s convening of a “FinCEN Exchange” in August 2021, with financial institutions, key industry stakeholders, and other federal government agencies to discuss the concerns regarding detecting and reporting ransomware.)
Much of the movement on cybersecurity since the issuance of the Executive Order appears to be organizational, as key figures settle into their new roles. Among them are Chris Inglis, who was confirmed on June 17, 2021 by the Senate as the first White House National Cyber Director, and Jen Easterly, who was confirmed by the Senate as CISA Director on July 12, 2021. Their confirmations should help expedite policy and coordination among enforcement officials.
Elements of a Strategy: Intergovernmental Task Force, DOJ Tip Line, Cyber Insurance
Recent reports suggest that aggressive tactics to confront the ransomware threat are being considered by a new intergovernmental task force. Such tactics include proactive efforts to identify and target (“hacking back”) ransomware perpetrators through the “digital infrastructure they use to operate.” The broad tactics remain those formulated for the Executive Order, including strengthening digital resilience of critical infrastructure, more attention to reported data from cryptocurrency exchanges, greater and speedier information sharing, closer international cooperation and tighter public and private sector controls “against digital compromise.”
Other initiatives intended to address the ransomware threat illustrate the broad range of possible remedies. The State Department, for example, recently announced a “Rewards for Justice” program, which offers up to $10 million for information leading to the “identification or location” of anyone acting under the direction of a foreign government or anyone involved in cyber activities against U.S. critical infrastructure. The program also includes a tip hotline located on the “dark web” to protect sources. Sharing of such information among law enforcement agencies could make a significant difference.
Additional angles reportedly being discussed include improving cooperation (particularly on reporting) with cyber insurance providers. As cyber executives from one insurance company put it: “improved data sets, such as aggregated and anonymised cyber incident reporting, would support the insurance industry in creating relevant products and track long-term profitability.” That will be an interesting development given that cyber insurers are facing their own significant challenges from ransomware hackers as well as struggling to maintain profitability “upended by a more than 400% rise last year in ransomware cases and skyrocketing extortion demands.”
Federal Legislative Efforts
The ransomware wave, particularly the attack on Colonial Pipeline, has been met with alarm and bipartisan action on Capitol Hill. The House of Representatives passed numerous cyber-related bills on July 20, 2021 in response. They include (i) grant funding for state and local cybersecurity needs; (ii) providing for the remediation of cybersecurity vulnerabilities on systems and industrial control systems; (iii) requiring CISA to establish a program and test critical infrastructure readiness against cyberattacks; (iv) requiring the Energy Secretary to establish a program and test the cybersecurity of products intended to be used in the bulk power system; and (v) enhancing the partnership between CISA and cyber-stakeholders to strengthen critical DHS Industrial Control systems and enhance cyber and physical electric grid security.
Recent reports indicate that the U.S. Senate is also near agreement on bipartisan cyber legislation. Currently under negotiation is a bill out of the Intelligence Committee that would require reporting to CISA by “federal agencies, federal contractors and owners and operators of critical infrastructure” on cybersecurity incidents within 24 hours. Another bill, would “grant liability protections to groups that report breaches.” Homeland Security and Governmental Affairs Committee Chair, Gary Peters (D-Mich) has hinted that he is working on a bill concerning ransomware and cryptocurrency. (On July 20, 2021, Senator Peters announced a bipartisan investigation on the subject.)
Other Federal and State Regulatory Action on the Radar
Securities and Exchange Commission
Financial regulators appear to be working within the administration’s overarching framework as well. As discussed in a recent Bates post, the SEC highlighted its intention to propose a rulemaking on cybersecurity risk governance as part of the June 11, 2021 Unified Agenda of Regulatory and Deregulatory Actions. In the abstract for the proposed rule, the SEC Division of Corporation Finance stated only that it is considering recommending rule amendments to enhance issuer disclosures regarding cybersecurity risk governance. The ongoing debate over new strategies and tactics to combat ransomware attacks, however, will surely affect the formulation of any proposed rule. Until then, the SEC’s most recent guidance on ransomware, issued through the Office of Compliance Inspections and Examinations (OCIE) and based on examinations, suspicious activity report filings, law enforcement information and public reporting, remains operative. (See previous Bates coverage.)
New York State Department of Financial Services
The states have raised alarms as well. On June 30, 2021, the New York State Department of Financial Services (“DFS”) issued additional guidance on ransomware. (See Bates post on the DFS Cyber Insurance Risk Framework issued in February 2021.) In the new guidance, the DFS called ransomware “the most disruptive cybercrime” because “it shuts down hospitals, schools, and companies. It prevents consumers from getting services, patients from receiving care, and employees from working.” The DFS noted that between January 2020, and May 2021, DFS-regulated companies reported 74 ransomware attacks, of which 17 paid a ransom. (This does not include attacks on third party vendors which affected regulated entities.)
DFS advised that any “successful deployment of ransomware” or any intrusion where hackers gained access should be reported to the DFS within 72 hours. DFS is considering making that reporting mandatory. Among other expectations, DFS reiterated that regulated companies should (i) conduct training on their network security obligations, email filtering and anti-phishing; (ii) have “a documented program to identify, assess, track, and remediate vulnerabilities;” (iii) use multi-factor authentication and ensure the use of strong passwords; (iv) implement the “principle of least privileged access”; (v) monitor their systems and respond to suspicious activity alerts; (vi) back up data to allow for recovery in the event of an attack; and (vii) develop an incident response plan “that explicitly addresses ransomware attacks.”
The many executive, legislative and regulatory efforts described above reflect an urgency about a phenomenon that seems to be growing out of control, made worse by the accelerated growth of difficult-to-trace blockchain financial transactions. While it is impressive that the government entities appear to be moving toward meaningful coordination on strategy, policy and resources, the efforts to date seem cumbersome in light of the apparent agility and speed of the ransomware perpetrators. The pace, however, is quickening. Legislation, regulation and enforcement are now in the pipeline. Bates will keep you apprised.
Learn More About Cyber Insurance and Risk Management
CLE Webinar: Emerging Issues in Insurance Practice and Litigation
- Date: Tuesday August 3, 2021
- Time: 1:00 p.m. ET / 10:00 a.m. PT
Topics we will cover:
- Cyber Insurance and Risk Management
- Vanishing Premium Litigation
- Other Developments
Meet Our Cyber Experts
To speak with a member of our team, please contact:
Greg Faucher, Managing Consultant, Insurance & Actuarial Services