This is Part 2 of a two-part series.
In Part 1 of this series, I discussed the ever-increasing prevalence of Ransomware attacks and went over what you could do to prevent, or at least reduce the likelihood of, being hit. But what should you do if the hackers get in? A formal Incident Response Plan must be in place, and practiced via tabletop exercise, well in advance of an attack. The Plan is sequentially numbered, but many actions can and should be conducted simultaneously or in a different order that best suits your situation. It is imperative, however, that No. 1 be in place before proceeding further. As discussed below, insurance is obviously also an issue that should be considered before an attack.
The Incident Response Plan
Involve counsel immediately. It is imperative to bring as much of your response as possible under the umbrella of attorney-client privilege or the work-product doctrine. If you have in-house counsel, he or she should take the lead and must be included on all internal communications with the label “Attorney/Client Privileged.” It’s even better to retain outside cyber counsel to orchestrate the response and assure privilege. If you have Ransomware coverage, your insurance company should be able to provide an experienced attorney from its panel – but be aware that your initial communications with the carrier will not be privileged, so keep them to a minimum, and don’t use the word “breach.”
Immediately take all communications off line. Use in-person meetings or cell phone calls. You do not want the bad guys to know you’re onto them. You also do not want to create a “paper trail” of any of your shortcomings -- for example, “I told you we had a problem with our endpoint security.” There should be no internal communications without an attorney heading them up. Everything outside of that is likely to be discoverable in subsequent litigation.
Remove the infected device from the network immediately, and shut it down. In conjunction with your IT people, disconnect devices from your internal network to ensure, to the greatest extent possible, that they cannot be infected.
Preserve all logging. This is the most important tool for tracing the source of entry and stopping further intrusions. It is also relevant for potential government investigations or to defend a subsequent action challenging your practices. If logs are rolling (in other words, if your logs are written over by default), increase disc space.
Issue a document preservation notice. Although this will not mitigate the Ransomware attack, it is something you must do from a legal standpoint. But send it only to necessary individuals so as not to cause undue alarm within the company.
Retain a forensic consultant. Depending on the severity of the attack (and whether your IT department is up to the job), it may be wise to hire a professional forensic consultant to get to the bottom of things and determine the true extent of the attack. This is becoming increasingly important as Ransomware attacks become more sophisticated, including -- for example -- the demand for payment in cryptocurrency. A forensic consultant will also be helpful in working with law enforcement, such as the FBI. The consultant must be retained by an attorney, inside or outside, to preserve privilege to the greatest extent possible.
Notify your insurance company. If you have insurance that covers a Ransomware attack, notify your carrier immediately, as your contract may have a notice requirement. The insurance company will have the expertise and resources to assist you in responding to the attack and negotiating with the hackers. These resources may well include a forensic consultant. However, as already noted, keep your initial comments to a minimum. The pros and cons of purchasing cybersecurity insurance coverage in the first instance are discussed below.
Notify law enforcement. Remember, you are a victim. In addition to the possibility of catching the bad guys, avoiding payment, and recovering anything that has been exfiltrated (transferred out), there is substantial goodwill associated with contacting law enforcement right away. It establishes that you have nothing to hide.
Assess the damage. What was accessed? Was any data actually exfiltrated? If so, how much? Was it encrypted? The answers to these questions will determine whether the breach is reportable under state data breach laws (see No. 12 below).
Restore data. As we discussed in Part 1 of our series, backup is critical. Once the affected device is disconnected from the network, you should be able to restore files that have not been corrupted by malware. Although you will still need to determine whether to pay a ransom, at least your business should be able to continue to operate in the meantime.
Change passwords. After the infected device is removed from the network, all system and network passwords must be changed. Failing to change passwords can leave the targeted organization vulnerable to further attacks.
Report as appropriate. Counsel should assist with this. You must determine whether the breach is reportable, and the answer will vary depending upon the jurisdiction of the person whose data was accessed or exfiltrated. All 50 states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or governmental entities to notify individuals of security breaches involving personally identifiable information. Many jurisdictions also require reporting to a consumer agency as well as law enforcement if a certain threshold is met. Many jurisdictions mandate that the affected company supply at least one year of credit monitoring, so you will need to work with the credit reporting agencies such as Experian or Equifax to get the ball rolling if applicable. However, do not undertake any reporting action until you know with reasonable certainty what occurred. You do not want to inform the public of something and then, a few days later, have to change your story.
The Ransom: to pay, or not to pay?
The cost of a single cyberattack can be substantial and include expenses for forensic investigators, remediation, legal advice, and other potential expenses. And then there’s the ransom demand. Should you pay? The efficacy of paying the ransom is questionable if your system is backed up. Indeed, what exactly are you buying if you pay? Should you believe the hacker’s promise that your data will be destroyed and not disclosed or sold if you pay? That may not be a good bet. And even if the data is not publicly disclosed, it’s safe to assume that the hackers will, or already have, monetized the information.
It is for these reasons that the FBI publicly advises against making ransomware payments. That only encourages the bad guys, the agency says. Nonetheless, many companies choose to pay in order to avert the damage and public embarrassment from the potential exposure of sensitive data. As we discussed in Part 1, Colonial Pipeline did just that—paying 75 Bitcoin (worth $4.4M at the time) in ransom to hackers. The decision whether to pay ransom is generally based on a cost-benefit analysis, made with your insurer (if you have one), and after you have a thorough understanding of who and what you are dealing with. If you are required by law to report the attack, the attack will become public anyway, so you must also consult with legal counsel in making your decision.
Should you buy cyber insurance?
Because of the potential exposures of a cyber attack, most large companies have purchased cybersecurity insurance, and an increasing number of smaller companies are doing likewise. However, cybersecurity insurance, at least Ransomware coverage, has become a two-edged sword. Cybercriminals who hack into corporate and government networks routinely try to learn how much cyber insurance coverage the victims have. Knowing the victims who can afford to pay can give the criminals an edge in ransom negotiations. The cybersecurity insurance industry, too, is a prime target for crooks seeking its customers’ identities and scopes of coverage. As a result, many insurance companies are eliminating Ransomware coverage altogether, and when it is offered it is becoming less affordable. The decision to purchase cybersecurity insurance is a business decision based on an analysis of the benefits and the costs. Consult with your insurance broker.
In any event, investment in the preventive cybersecurity measures that we discussed in Part 1 is of paramount importance and your best bet for reducing exposure. Any insurance company that is offering Ransomware coverage will first look to your preventive measures and Incident Response Plan to determine whether they even want to provide coverage – and, if so, at what price.
This series is not meant to be exhaustive but to instead provide a primer on the world of Ransomware –and how to avoid an attack, or at least mitigate the effects of one. Consult with your attorney. Constangy is here to help!
For a printer-friendly copy, click here.