Should You Pay Ransom?

Ransomware attacks can be devastating and tend to leave an organization with very few options, including restoring data from the last organizational backup, if that exists; rebuilding the organization’s entire network; or pay the ransom the threat actor demands. However, if you are a municipality, such as a state or a local governmental entity, your options may be even fewer.

On June 24, Florida’s governor signed HB 7055 into law, which will amend its State Cybersecurity Act. The Act requires that if a Florida state entity, county, or municipality experiences a ransomware incident, the entity must notify the Florida Department of Law Enforcement’s Cybersecurity Office and the Cybersecurity Operations Center (CSOC) within 12 hours. Importantly, the Act also prohibits the entity from paying or otherwise complying with a ransom demand.

Florida is not the only state to implement prohibitions against ransomware payments. On November 18, 2021, North Carolina became the first entity to ban ransomware payments following an attack on state and local governmental entities, and even prohibits communicating with the threat actors following an attack.

New York legislatures are currently considering Senate Bill S6806A, which would prohibit “governmental entities, business entities and health care entities from paying a ransom in the event of a cyber incident or a cyber ransom or ransomware attack.” A similar bill, Senate Bill 726, was approved by the Pennsylvania Senate in January 2022, which would prohibit the use of taxpayer funds to pay ransoms, unless the governor has made a declaration of a disaster emergency and authorized the payment.

Industry participants predict that in the coming months, similar laws will be introduced in several additional states. Additionally, after the enactment of the Security of Critical Infrastructure Rules (LIN 22/026) in Australia, the UK’s National Cyber Security Centre (NCSC) and Information Commissioner’s Office (ICO) have reportedly submitted a letter to the Australian Law Society implying that, “paying a ransom could become a crime.” As such, public and governmental entities should prepare themselves for a mandatory change in approach to dealing with these ransomware attacks.

As this article from Security Boulevard notes, these prohibitions make ransomware attacks “significantly more complicated,” as the same prohibitions that apply to an organization could apply to the insurance companies that maintain their cybersecurity insurance. As such, these insurance companies could be prohibited from issuing payments to a threat actor to mitigate or prevent any further, more substantial, damage from occurring—which would require the insurance company to potentially incur enhanced risk. Security Boulevard further notes, “instead of paying the $5,000 ransom, the insurance company is now required by law to pay the $25 million cost of rebuilding the entire network.”

Based on this additional prohibition, insurance companies are expected to “cap their damages and losses at either the cost of the ransom demand or the cost of rebuilding—whichever is lower.” This will leave these organizations with a required risk-assessment to determine if the costs and punishment incurred from paying the ransom demand would be more cost-effective than the inevitable and unshared cost of paying to rebuild and restore the data stored in their systems.

In order to best protect your organization, proactive measures should be implemented to reduce the risk of ransomware attack and to ensure that your organization can recover from the attack without the need to issue these prohibited payments.

These proactive measures can include implementing multi-factor authentication (MFA) measures, implementing endpoint detection and response tools at each entity level, and mandating regulator organization-wide operational system backups to be stored in a separate system from those that house the organization’s system.

* * * * * * *

To read our coverage on the Cross-Border Data Transfer Security Assessment Measures issued by the Cyberspace Administration of China, China’s cybersecurity regulatory agency, click here.

For ADCG’s Breach Report and more news updates discussing: House Advances American Data Privacy and Protection Act; FCC Seeks Data Privacy and Retention Info From Mobile Providers; Denmark Schools Ban Google Products Over Data Privacy Issues; and Uber Admits to Massive Cybersecurity Breach, click here.

To browse through our previously published articles and news alerts, please visit our website, and don’t forget to subscribe to receive free weekly Data and Cyber Governance news and Breach Reports directly to your email.

Our Podcasts are released every Thursday, here. They can also be enjoyed on Spotify and Apple Podcasts. Don’t forget to subscribe!