Increase in ransomware attacks and developing regulatory response

Ransomware, a particularly pernicious threat, has grown unabated. Ransomware actors have continued to pursue private companies and individuals relentlessly.

(Source: Cybersecurity Ventures, CyberCrime Magazine)

In the US, regulators are taking a more aggressive approach to compulsory reporting. For example:

• In the summer of 2023, the Securities and Exchange Commission (SEC) released rules that require registrants, including foreign private issuers under certain circumstances, to report cybersecurity incidents within four days of making a determination that such incidents are material under US securities law.
• Similarly, the US Department of Homeland Security will be releasing regulations in 2024 requiring covered critical infrastructure entities to report covered incidents within 72 hours of their occurrence (whether or not they are deemed material).
• In the EU and UK, companies must report personal data breaches without undue delay, and usually within 72 hours, to the relevant data protection authority.
• In the EU and UK, operators of essential services and relevant digital service providers must notify the applicable competent authority of a relevant cyber incident without undue delay, and within 72 hours. Similar reporting obligations exist for other regulated companies (eg, those in the financial sector). Both the EU and UK are implementing reforms which will soon expand the scope of businesses caught by such requirements (such as to managed IT service providers).

Preparation is key

(Source: Wired Magazine)

When an attack occurs, several preparatory factors can make a crucial difference to the company’s ability to respond to an attack:

• Backup and recovery capabilities. Sufficient data backups can ensure that offline copies are readily available to restore company operations to sufficient operating capacity notwithstanding the loss of access.
• Data and system mapping. Companies that have mapped data and system infrastructure are in a strong position to assess the potential implications of an attack and understand what their options may be given those implications.
• Sufficient logging and monitoring. Once an attack occurs, visibility into the systems can make a crucial difference as to confidence levels about impacted information. Logging and monitoring provides visibility to experts to help assess implications and options.

Whether to pay ransoms

Independent of the operational facets of a ransomware attack, paying ransoms always carries certain legal risks for which companies must be prepared to establish procedural controls.

In particular, many jurisdictions have sanctions regimes that prohibit economic commerce with certain specified actors. In the US and UK, it is a strict liability criminal offence to make payments to sanctioned individuals. This means that the liability attaches regardless of whether a company actually knew the actor was sanctioned. EU sanctions may be similar in many regards to US and UK sanctions but can also be more or less extensive for individual groups or persons. Regulators are becoming more proactive with sanctions designations, so the risk of committing a sanctions offence is more than just theoretical. For example, in early 2023 individuals connected with Trickbot (a Russian ransomware group) received sanctions designations in both the UK and US.

Insider threats

While organisations should always be wary of the threat of malicious hackers, it is important not to underestimate the risk of insider threats to personal data. In particular, we continue to see:

• Disgruntled employees, who consider themselves whistle-blowers, leak information about their employers to third parties.
• Individuals who make it their moral duty to alert the public of how allegedly unsecure their organisation’s systems are, and inadvertently cause a personal data breach in the process.
• Simple human error (eg, clicking on phishing links or attaching the wrong documents in emails to external contacts).

Once again, there are steps that can be taken to mitigate these risks. For example, organisations can:

• Monitor for any surge or irregular patterns that might indicate employees exfiltrating data via email or otherwise.
• Restrict access to the most sensitive data.
• Place limits on how much data individuals can send externally without relevant approvals.
• Implement regular training on privacy and cybersecurity obligations. While this might not stop insiders that are determined to exfiltrate personal data, it might reduce the occurrence of human error and assist with manual detection.

Development in fine sizes and increased litigation risk

The damage suffered by companies affected by a cybersecurity incident is not always immediate. Often, the looming damage goes beyond the incident. If employee, customer, or other sensitive data is lost, authorities regularly initiate proceedings for privacy violations, which may grow to full-scale audits—even onsite—of the entire organisation.

In the EU and UK, for example, these proceedings can result in substantial fines where there have been inadequate protective measures against cyber breaches. This reflects the fact that many regulators have developed their own cyber and data privacy expertise in recent years.

While the highest fines issued by EU regulators tend to concern data privacy violations that are not related to cyber attacks, many European data protection authorities are no less proactive (and in some cases, more proactive) than the UK’s ICO in pursuing enforcement action against organisations that suffer cyber attacks.

At the beginning of 2023, the UK ICO started publicising information regarding various complaints and concerns brought to its attention and reprimands it had issued, possibly providing more fuel for claimant law firms to find non-compliant organisations to target. As part of a new approach the ICO has also pledged to ‘do more’ to publicise cases so that there is wider learning.

In the US, litigation risk originates from multiple potential sources. The Federal Trade Commission (at the federal level) and state Attorneys General typically have authority to bring various categories of actions related to breaches. The SEC is also expected to increase its inquiries and potential actions in light of new cybersecurity rules that come into effect in December 2023. Finally, private litigants of various stripes have the ability to bring actions against a company, whether because their personal data is directly affected by the breach (under certain regimes), or as interested shareholders via securities class and derivative actions.

Looking ahead

The cyber risk landscape will continue to evolve, particularly in light of emerging risks associated with AI and quantum computing. Regulatory frameworks that cover cybersecurity are also likely to develop in the coming years, though perhaps not at the same pace. 

There is undoubtably a correlation between the extent to which an organisation prepares for cyber attacks and the harm (operational, financial, and legal) caused by an incident. The most effective preparation often involves co-ordination of internal stakeholders, refreshing incident response plans, testing crisis management processed with simulated attacks, and a good understanding (and mapping) of critical assets and data.

Back to top.