Why Your Business Needs a Ransomware Payment Policy

by Julie DiMauro

When I was working with my friend and digital forensics expert, Professor Darren Hayes, on preparing an instructor-led, virtual ransomware training course several months ago, I noticed that the threat landscape and number of such attacks wasn’t just changing and increasing,[1] but that the discussion about whether paying a ransom after such an attack was legal or not was evolving.

The answer of whether you can pay or ransom or not depends on an emerging body of law and guidance. Let’s take a quick peek and see what is going on here. 

OFAC’s Advisory

On September 21, 2021, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) issued an Advisory that updates a prior one and states in no uncertain terms that the “U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands.”

Why the hard line here?

OFAC notes that such ransomware payments could be “used to fund activities adverse to the national security and foreign policy objectives of the United States.”

Basically, the agency is pointing out that the payments can further incentivize cyber criminals and that paying a ransom puts a business in jeopardy of violating the important sanctions programs OFAC oversees.

Making such a payment could be viewed as a business engaging in financial or other transactions with certain individuals, organizations, or countries, including those listed on OFAC’s Specially Designated Nationals (SDNs) and Blocked Persons Lists, or countries subject to embargoes. The OFAC Advisory makes clear that many ransomware criminals are so designated pursuant to its cyber-related sanctions program.

The logic here is apparent. But I’m still thinking about the company grappling with the legal, compliance, and reputational risks associated with having their customer and employee data held captive by a shadowy figure who does not care about SDNs any more than individual privacy rights.

Thankfully, OFAC will consider various mitigating factors in deciding whether to impose penalties against organizations for sanctioned transactions, including if the organizations promptly reported ransomware attacks and payments to law enforcement and regulatory authorities.

But the ransomware payment consideration does not end with OFAC.

FBI guidance and proposed U.S. laws

The FBI does not say you cannot pay a ransom; it says it does not advocate paying one.

Part of the agency’s reasoning is that it does not guarantee an organization will retrieve access to its data, thanks to some criminals never turning over decryption keys or flaws in encryption algorithms.

Consider some sobering statistics on what companies get in return for their anxiety-ridden decision to pay the ransom:

  • On average, only 65% of the data is recovered after the organization pays for the decryption tool, often through a cryptocurrency payment
  • Nearly 29 percent could not recover more than half of the encrypted data
  • Only about 8 percent of organizations that pay get all data back

The FBI implores businesses in its guidance to report ransomware incidents to law enforcement, so these authorities can help track down the attackers and hold them accountable.

As for the legislative arm of the U.S. government, Congress has been trying to offer some concrete mandates in the ransomware paying and incident-reporting arenas.

In 2021, a handful of federal ransomware reporting bills were proposed that mandated companies report any cybersecurity breach or attempt with potential national security, government or economic impact within a certain (short) timeframe.

A Senate bill, the Cyber Incident Reporting Act of 2021 (S.2875) – was specifically targeted to ransomware incident reporting, but it failed to pass Congress. It would have established a Cyber Incident Review Office in the Cybersecurity and Infrastructure Security Agency of the Department of Homeland Security, included a 72-hour window for reporting a ransomware incident, and mandated that any ransomware payment must be reported within 24 hours.

Among several other recent proposals, something called the Ransom Disclosure Act would require any company engaged in interstate commerce to report ransomware payments within 48 hours, with penalties for nonreporting to be determined later. And the Ransomware and Financial Stability Act would ban banks from paying most ransom demands.

Proposed state laws

Some individual states have also either passed or proposed legislation banning state agencies, local governments, and some businesses from paying ransom.

The first to take a crack at it were North Carolina in November 2021 and Florida in July 2022 when both banned state government entities from paying ransoms connected to ransomware attacks. 

In North Carolina, the prohibition covers all state agencies, the University of North Carolina, cities, counties, local schools, community colleges, and more.

The law requires all agencies to immediately notify the North Carolina Department of Information Technology in the event of a ransomware attack, and state agency administrators and cybersecurity specialists are restricted from communicating with ransomware groups in the event of an attack.

Florida’s ban on government entities paying ransoms mandates that all Florida government agencies and departments report all ransomware incidents within at least 12 hours and requires organizations to provide detailed information on the data stolen and ransom demanded.

If you scroll to the end of the bill, it says that “a state agency… a county, or a municipality experiencing a ransomware incident may not pay or otherwise comply with a ransom demand.”

Texas authorizes the Texas Department of Transportation to purchase insurance coverage for ransomware.

New Mexico and Maryland passed bills that provide funding for cybersecurity training and ransomware response tools. (See the National Conference of State Legislatures’ Computer Crime Statutes for details.)

Several state bills are in limbo right now, with a New York bill sponsored by state senator Diane Savino sitting in a state committee. The bill, S6806A, would prohibit governmental, business and healthcare entities from paying a ransom in the event of a cyber incident or ransomware attack.

In February 2021, the New York State Department of Financial Services (NYDFS) issued a notice arguing that insurers should not make ransomware payments because they could violate OFAC sanctions; might not result in the restoration of data; and might fund future ransomware attacks against the same or other organizations.

The agency followed up with ransomware guidance in June 2021, and in July 2022 released proposed, draft amendments to its groundbreaking cybersecurity regulation known as 23 NYCRR Part 500, introduced in 2017.

Just days ago, on November 9, Superintendent of NYDFS, Adrienne A. Harris, more formally announced those amendments to Part 500, noting the enhanced rules are designed to strengthen NYDFS’s risk-based approach and ensure cybersecurity risk is integrated into covered entities’ business planning, decision-making, and risk management.

The changes include, but are not limited to:  

  • The creation of three tiers of companies, further tailoring the regulation to a diverse array of businesses with different defensive needs, such as by increasing the size threshold of smaller companies that are exempt from many parts of the regulation;    
  • Enhanced governance requirements that increase the accountability for cybersecurity at the board and c-suite levels;   
  • A requirement that covered entities notify the superintendent electronically, using a specific form on the NYDFS website, as promptly as possible but no later than 72 hours after a cybersecurity event has occurred that is either
    • An event impacting the entity of which notice is required due to a law or regulation from a government body, self-regulatory agency or other supervisory body; or
    • An event that has a reasonable likelihood of materially harming, disrupting or degrading any material part of the normal operations of the entity;
  • A requirement that covered entities notify the superintendent of a cybersecurity event in which an unauthorized user has gained access to a privileged account or an event that resulted in the deployment of ransomware within a material part of the entity’s information system.
  • A requirement that entities provide notice and explanation of any extortion payment made in connection with a cybersecurity event within 24 hours of the payment, and within 30 days, a written description of the reasons why the payment was deemed necessary, describing the diligence performed to find alternatives to said payment.
  • Requiring more regular risk and vulnerability assessments, as well as more robust incident response, business continuity, and disaster recovery planning; and   
  • Directing companies to invest in regular training and cybersecurity awareness programs that are relevant to their business model and personnel.   

The proposed amended regulation is subject to a 60-day comment period beginning on November 9, 2022, upon publication in the State Register.

Time for a policy check-up – and more prevention

In light of the foregoing, if your cybersecurity compliance policies and procedures are not keeping pace with these developments, it can only add to your woes once an attack strikes.

An organization’s cyber incident response team (CIRT) must appreciate the timing of reporting the incident and paying a ransom may not be its choice to make, and if it is, the organization should be prepared to justify its decisions, given the growing impetus against making such payments or delaying any reporting to authorities.

The plan developed by the organization’s CIRT must also consider exactly how the short timeframes for reporting to authorities (24 to 72 hours, as noted above in state laws and proposals) will be met. It must also appreciate that the involvement of authorities is likely to alter the dynamic of its own investigations and communications with the hacker and the public.

Organizations must consider the risks of paying (such as the risk of getting little data back to breaching any sanctions directives) by considering several factors involved in the attack.

Those factors include examining the type of ransomware variant and considering the ransomware entity or group involved in the attack and their track record for publishing or sharing the data with other criminals; the nature of the attack – matters that independent forensic investigators and law enforcement authorities can best address.

The organization must also assess whether its cybersecurity insurance policies will cover some or all the costs of an attack when deciding to pay or not.

In crafting communications to an organization’s board of directors about why it did NOT pay a ransom, the organization’s compliance personnel should point to any legal requirements to which it was subject and the advice of independent experts and law enforcement officials.

The frequency and considerable damage these attacks bring, plus the increasing sophistication of hackers, and the evolving legal mandates about paying ransoms and reporting timescales underscore what we already know: Compliance never ceases to be challenging.

Companies should begin planning and budgeting for the proposed requirements outlined above now, including the essential business continuity and disaster preparedness plans that are critical in this area and were considerably underscored by the COVID pandemic experience.

Plus, they must institute the prevention and mitigation efforts expected of them under laws, regulations, and their ongoing fiduciary duty obligations.

This means putting into practice the prevention techniques supplied by the FBI and its Internet Crime Complain Center (IC3). These include having back-ups that are offline, using multi-factor authentication, having periodic cybersecurity health check-ups (including penetration testing), and updating cybersecurity policies and procedures to reflect changes to the risk landscape, rules, and the organization’s own past incidents.

Periodic and up-to-date cybersecurity training of staff at all levels is essential and increasingly expected by regulatory agencies and law enforcement bodies (see the proposed amendments to NYDFS’s rules above), especially since some of them offer their own courses to the public.

And creating a speak-up culture in which employees feel empowered to admit they might have made a mistake, undergirded by incentives that reward such admissions, will go a long way before any consideration of these “pay or don’t pay a ransom” requirements begins.

Endnotes:

[1] Although the “changing and increasing” is all true: It’s one of the most common types of malware attacks today, and attackers use many ways to infect their victim targets – from email phishing campaigns, to purchasing credentials off the dark web, to manipulating software vulnerabilities. Last year, Homeland Security Secretary Alejandro Mayorkas stated that “the rate of ransomware attacks increased 300% in 2020.

Julie DiMauro is the director of compliance training at Compliance Week, working in New York City. She is an adjunct professor at Seattle University Law School’s Master of Law Program, a member of the NY State Bar Association’s ESG Committee, co-chair of the Financial Women’s Association, and a contributing editor to the FCPA Blog.

The views, opinions and positions expressed within all posts are those of the author alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity of any statements made on this site and will not be liable for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with the author.