Calling on All Companies to Report Ransomware Attacks

Government and industry are rallying against ransomware amid an ongoing wave of attacks with national and international impact. Among a wide range of anti-ransomware initiatives, immediate attention has turned toward getting companies to report ransomware attacks to authorities rather than trying to remediate or negotiate their own way out.

Calls for greater transparency are coming from several quarters worldwide. These include an action plan from the private-sector Ransomware Task Force, directives from the U.S. government, proposals from leaders in Australia and appeals from Europol.

Lack of Reporting Thwarts Anti-Ransomware Efforts

Companies are often reluctant to report ransomware attacks for a variety of reasons, whether to protect their brand’s reputation, limit liability, preserve their share price, avoid the attention of regulators or stave off disruptive law enforcement investigations. Some are required to inform regulators (and, less often, law enforcement agencies) under data privacy laws such as Europe’s General Data Protection Regulation (GDPR), the Health Insurance Portability and Accountability Act (HIPAA) and the California Consumer Privacy Act (CCPA), which all require timely reporting of breaches that expose personal information.

Still, experts see gray areas and gaps in reporting requirements — for example, when cybercriminals target infrastructure operations or companies’ trade secrets rather than personal information. Another issue is the current patchwork of state, national and international cybercrime reporting policies, rules and systems from myriad regulatory and enforcement agencies.[1] A third problem: Companies sometimes doubt the value of reporting because law enforcement agencies have limited resources, according to Europol.[2]

Dutch research recently showed that only one in seven victims (businesses and consumers) reported cybercrime of any kind, whether ransomware, data theft or another type of attack.[3] When it comes to ransomware, specifically, another report found about half of the surveyed companies in the U.S. and Europe would notify law enforcement agencies of an attack, and 45% said they would report it to data protection regulators.[4] Yet other experts point out that even companies with the best of intentions ultimately decide against reporting.

“Corporate ransomware victims are discreetly paying the ransoms and are (lawfully) sweeping the incidents under the rug,” according to a former official with the U.S. Securities and Exchange Commission (SEC).[5]

In turn, the lack of reporting hinders the ability to create an accurate overview and mount effective countermeasures, Europol says, adding: “There is the need to foster a culture of acceptance and transparency when organizations or individuals fall victim to cybercrime.”

Below is a brief survey of new anti-ransomware reporting recommendations, requirements and information-sharing efforts.

Federal Contractors Must Report Attacks

A new executive order will require U.S. government contractors to report ransomware and other cyber incidents, both to the agency with which they have contracted and to other regulatory and enforcement bodies.[6] Typically, such government procurement mandates permeate more broadly throughout the private sector as they become best practices.

Meanwhile, the Department of Homeland Security also issued a new requirement for pipeline owners and operators to report confirmed and potential cybersecurity incidents.[7] And lawmakers are preparing legislation on reporting requirements.

“We have no actual system in place to make [any company] mandatorily report information to the government in real time so that we could have a full-fledged response,” said Senate Intelligence Committee Chair Mark Warner on a television broadcast. Warner suggested limited liability protections and confidentiality for companies that do submit reports.[8]

Details to come will determine the impact on companies large and small. “Arguably, sharing may help to improve prevention, detection and responses to breaches, but smaller vendors with fewer resources to address compliance may feel the largest impact,” The Wall Street Journal reported.[9]

And as one cybersecurity expert noted, “The coming directives over the next few months and years may be gradual, or they may be more sudden, depending on how events and incidents unfold … so start planning for it now.”[10]

Ransomware Task Force Recommends Reporting Mandate

A new Ransomware Task Force, including 60 U.S. and international companies and advocacy groups, has issued an anti-ransomware strategy listing 48 action items that range from coordinated international diplomatic and law enforcement efforts to greater cryptocurrency regulation.[11]

The reporting of ransom payments — prior to paying any ransom — should be mandated, the group says. But it stops short of advocating a prohibition on such payments, as some are suggesting. A standard format for reporting ransomware should be developed, and protections against revealing the victim’s identity, such as anonymous notifications, should be built into the reporting process.

Anti-Ransomware Calls Echo from Europe to Asia-Pacific

Australia’s Defense Ministry recently released a statement encouraging companies to report ransomware attacks.[12] But Australia’s Labor Party is calling for a stronger, mandatory ransomware notification scheme as part of a national strategy.[13] While the country has a reporting requirement covering breaches that compromise personal data, Labor leaders said a parallel regime is needed for ransomware.

Initiatives in Europe, meanwhile, include one addressing the energy sector and other infrastructure providers. Essential digital service providers and electric utilities are required to notify national authorities of serious incidents, for example.[14] Legislation is expected to take effect soon to reinforce and streamline this information sharing across the European Union.[15]

In a related matter in the Netherlands, the problem of international and interagency sharing of cybersecurity incident reports has prompted calls to break down barriers that keep critical information from reaching the affected businesses.[16]

The Bottom Line

Consensus is growing that companies need to be more transparent about ransomware attacks so that government and industry can get a better handle on this ongoing crime wave. Initiatives are calling for mandatory reporting and streamlined information sharing.

[1] “USA: Cybersecurity Laws and Regulations 2021,” ICLG

[2] “Internet Organized Crime Threat Assessment 2020,” Europol

[3] “Cybercrime Victims in the Netherlands Not Reporting Offenses,” ComputerWeekly

[4] “Global Ransomware Study 2018,” SentinelOne

[5] “Ransomware’s Dirty Little Secret: Most Corporate Victims Pay,” Law 360

[6] “Executive Order on Improving the Nation’s Cybersecurity,” White House

[7] “DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators,” Department of Homeland Security

[8] “Senate Intel Chairman Calls for Mandatory Reporting of Hacks After Colonial Pipeline Attack,” CNBC

[9] “After Colonial Pipeline Hack, U.S. to Require Operators to Report Cyberattacks,” Wall Street Journal

[10] “Are DHS Pipeline Breach Reporting Mandates Just the Beginning?”, GovTech

[11] “Combatting Ransomware,” Ransomware Task Force

[12] “Australia is Fighting Back Against Ransomware,” Australian Ministry for Defense

[13] “Labor Calls for Ransomware Notice Scheme,” InnovationAus

[14] “Cybersecurity of Critical Energy Infrastructure,” European Parliament

[15] “European Energy Sector Prepares for New Cybersecurity Rules,” Wall Street Journal

[16] “CSR Recommendation Letter on the Accelerated Sharing of Incident Information,” Cyber Security Council