The cybersecurity landscape in all respects — from the threats posed to the methods used to counter them, plus the regulatory requirements about how to prevent, detect and mitigate cyber incidents – is always changing. That’s a given. What’s a little harder to understand is how to work with the government, and when to do so, during an unfolding cybersecurity crisis.
The WSJ reported on February 9 that after FBI agents infiltrated the networks of Hive, a ransomware group that had extorted about 1,000 companies, hospitals, and other targets, the agency learned something shocking from their investigative data.
Their discovery? Only 20 percent of these affected businesses had approached law enforcement about their attacks.
We often hear about law enforcement and business partnerships, sandboxes, and cooperation credit regimes that exist to coax businesses into reporting incidents early and turning over evidence. Even admitting to their missteps – such as poor backups, stale lists of employee permissions, unsupervised personnel, poorly vetted vendors, etc., as needed.
But many businesses are just not using them — trying to minimize the reputational damage of any added attention and avoid some extra work and delay that can go into having others sift through your data and weigh in on an investigation.
The FBI has taken its message to another level now, telling gatherings of Fortune 500 executives that the bureau will offer top-notch and discrete service (“Ritz Carlton- level customer service”) to businesses that are the victim of a cyberattack and that it will “fight with regulators and deal with the media on their behalf.”
The FBI says it wants to turn around the perception companies might have of its agency looking for other evidence of crimes, corrupt practices, or regulatory compliance negligence. And it emphasizes that it’s just there to focus on the cybersecurity breach to protect victims, infrastructure, and intellectual property.
Cybersecurity reports, responses, and competency.
Companies have many considerations to weigh when it comes to reporting to law enforcement and soliciting their assistance. Part of their analysis involves sifting through the many laws (proposed or actual) in this arena that mandate different timelines for reporting, for whether a business legally pay a ransom, and what type of cybersecurity expertise is expected at their business.
For example, a Senate bill called the Cyber Incident Reporting Act of 2021 (S.2875) was specifically targeted at ransomware incident reporting, but it failed to pass Congress. Among other things, it would have included a 72-hour window for reporting a ransomware incident and mandate that any ransomware payment be reported within 24 hours.
Several states have also either passed or proposed legislation banning state agencies, local government, and some private businesses from paying ransoms.
The New York Department of Financial Services (NYDFS) has explicit rules about when to notify the superintendent of a cybersecurity incident in which an unauthorized user has gained access to a privileged account or an event that has resulted in the deployment of ransomware within a material part of the entity’s information system.
Businesses that make a ransomware payment in connection with a cybersecurity event must notify the NYDFS within 24 hours of the payment, and within 30 days, outline for the agency why the payment was deemed necessary.
Enhanced oversight and cybersecurity expertise are also expected at all of the businesses NYDFS oversees at the board and c-suite levels.
What businesses should consider doing now.
If the FBI says it can hold the regulators at bay and help mediate your work and reporting with them, it behooves businesses to take the Bureau seriously. The incident-responses, reporting, oversight, and expertise requirements regulators are placing on businesses makes it integral that companies get as much assistance as possible to manage these incidents.
The more thorough investigation will help inform a thorough audit of what went wrong later and help remediate damage that could exist well beyond their own corporate boundaries but be related to their cybersecurity incident.
It also means planning and budgeting for these incidents, requirements, the needed changes and testing expected for incident response plans, the costs of enhanced expertise and audits and risk assessments, and the expenses associated with coordinating one’s work with more outside entities and experts. We all know none of these are free of charge.
I’ll let the FBI have the final word here, as they assured businesses at a conference last year about what they will say if the Securities and Exchange Commission uses evidence gleaned from its cyber investigations as leverage to charge businesses in enforcement actions.
“The regulatory relationship is between the regulator and the victim. The FBI is not a proxy for that, and we will never allow ourselves to be used as proxy.”
Comments are closed for this article!