Ransomware attacks have been making headlines for a few years now, and cybercriminals have developed more sophisticated strategies to maximize the impact of their attacks.
Regulators have been taking action to help financial institutions combat these threats. However, maintaining regulatory compliance is only possible when you understand your organization’s responsibilities.
Dangers of ransomware
Ransomware blocks access to your device, data, and other personal information. The cybercriminals then encrypt your information and hold it hostage until a ransom is paid. Unfortunately, ransomware is often very difficult to remove, and paying the ransom does not guarantee that the criminals will actually give back access to your data.
Understanding regulatory compliance
If you experience a ransomware attack, your business stands to lose money, data, and take a reputational hit. This is where the compliance angle comes into play. Ransomware response is directly affected by how you are allowed to navigate the situation, as stated by the law.
The Federal Bureau of Investigations does not support paying a ransom in response to a ransomware attack and instead urges victims to contact the Bureau before taking further action.
If your organization does pay the ransom, you must notify the Cybersecurity and Infrastructure Security Agency within 24 hours of payment, according to the Cyber Incident Reporting for Critical Infrastructure Law– rather new.
Also very recent, a 2020 ruling by the U.S. Department of Treasury’s Office of Foreign Assets Control (OFAC) and the Financial Crimes Enforcement Network (FinCEN) declaring it illegal to pay a ransom in many cases. The main point is that by paying the criminals, you are essentially enabling future attacks.
Furthermore, the matter could affect U.S. national security and foreign policy if you end up paying sanctioned individuals or jurisdictions.
The ruling applies to individuals who make a ransomware payment– not just organizations. In addition, OFAC makes clear that civil penalties may be imposed for those violating such sanctions.
The Biden administration recently enacted the Cyber Incident Reporting for Critical Infrastructure Act into law. The law states that businesses operating in critical infrastructure sectors will have mandatory reporting obligations for ransomware attacks within 72 hours of the incident. Otherwise, the organization can be fined along with other potential penalties.
So, your IT department should understand the reporting process specific to your industry and location.
How severe is the problem?
In early May of 2021, energy provider Colonial Pipeline paid a $4.4 million ransom after cybercriminals launched a ransomware attack that forced the company to cease operations. The attack resulted in fuel shortages throughout the east coast.
Earlier, in June 2020, meat supplier JBS paid $11 million following a ransomware attack, which led the company to halt meat processing and temporarily shut down its plants. As a result, the price of pork and beef products skyrocketed across the U.S.
These are just a few instances of the harm cyberattackers can inflict by launching a ransomware attack.
It’s not easy to build proper ransomware protection tactics that will have the capacity to prevent every cyberattack that could come up. However, enlisting a suitable multi-layer ransomware protection solution that can detect and block malware with threat intelligence, machine learning, and next-generation antivirus capabilities can make it challenging to deploy most ransomware attacks. Dealing with these malicious attacks only aids in preventing these gaps in the future.