Laws Pending on Reporting and Paying Ransomware in 2022
 

U.S. policymakers latched onto the idea of ransomware reporting requirements as a step they could achieve amid what seemed like an unstoppable ransomware crime wave in 2021. Legislators see reporting as necessary to protect national security and take decisive action against cybercriminals and their state sponsors.[i] But some companies fear that government interventions might be more intrusive than helpful as they try to recover from ransomware attacks.

A bipartisan measure nearly passed in December as part of a bigger defense spending bill, but it failed at the last minute. Efforts are expected to resume in 2022.

December’s outcome represents the tip of the iceberg, with several bills circulating in Congress in addition to edicts by federal agencies and similar measures in some states. As the debate swirls, Mimecast research shows that many companies are going ahead and paying the ransom when they’re attacked, but they’re not reporting being attacked in the first place.

Ransomware Bills and Directives Proliferated in 2021

Each of the handful of federal ransomware reporting bills proposed in 2021 takes a slightly different approach, providing a glimpse at what companies may face in 2022, including:

• Cybersecurity Incident Notification Act (CINA): This first major bipartisan measure by leaders of the Senate Intelligence Committee would require companies to report any cybersecurity breach or attempt with potential national security, government or economic impact within 24 hours. Federal agencies would define such details as which companies would be covered, but the bill already specifies federal contractors, operators of critical infrastructure and providers of “cybersecurity incident response services.” To encourage companies to come forward, public disclosure would be limited when possible. A failure to report would carry a civil penalty of up to 0.5% of gross revenue from the prior year for each day the company fails to report. The bill also includes commitments on the part of the federal government to analyze and act on the information received.[ii]
• Cyber Incident Reporting Act: Differences with the previous bill include a longer window for reporting incidents (72 hours) and the prospect of criminal penalties.[iii]
• Other bills: Among other proposals, the Ransom Disclosure Act would require any company engaged in interstate commerce to report ransomware payments within 48 hours, with penalties for nonreporting to be determined later.[iv] The Ransomware and Financial Stability Act would ban banks from paying most ransom demands.[v] Some individual states have also proposed legislation banning state agencies, local governments and some businesses from paying ransom.[vi]
• Defense Authorization Act Amendment: This is the measure that failed to pass Congress in December. But it included aspects of CINA and other pending legislation that could reflect a consensus among policymakers for 2022 legislation. Notable among them is a 72-hour window for reporting an incident, rather than the 24-hour requirement in CINA. That said, any actual ransomware payment would have to be reported within 24 hours.[vii]

Regulators Are Already Issuing Reporting Requirements

While the laws currently advancing in Congress would codify and strengthen ransomware reporting requirements, several directives from the U.S. federal government in 2021 already cover U.S. government agencies and their contractors, pipeline operators and transportation companies. U.S. financial regulators have jointly updated banks’ requirement to report a cybersecurity incident within 36 hours.[viii] National and state privacy and data breach laws may also apply in the U.S. and other countries.[ix]

Some Ransom Payments Could Be Banned 

While there is less of a push to ban the payment of ransoms in the U.S., the Treasury Department recently warned that it could punish anyone who pays ransom to individuals or organizations that are on its sanctions list.[x] Treasury officials summed up the prevailing sentiment in Washington by saying: “The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands and recommends focusing on strengthening defensive and resilience measures to prevent and protect against ransomware attacks.”

Worldwide, the Gartner research group predicted that: “The percentage of nation-states passing legislation to regulate ransomware payments, fines and negotiations will rise to 30% by the end of 2025, compared to less than 1% in 2021.”[xi] 

Companies Split on Reporting and Paying Ransom

Companies that may be victimized by ransomware are viewing these developments with ambivalence. For example, the Chamber of Commerce remained silent on the subject of reporting requirements in its statement on ransomware, instead calling for more government efforts to disrupt international ransomware payment systems and enhance international law enforcement resources, among other steps.[xii] Another group, the public-private Ransomware Task Force, has supported mandatory reporting but stopped short of recommending a ban on paying ransom.[xiii]

Companies can argue both sides of the rationale for paying ransom. In soon-to-be published Mimecast survey data, 72% of U.S. companies attacked by ransomware said they paid the criminals (with only 19% actually recovering their data). An earlier survey, for Mimecast’s State of Ransomware Readiness 2021 report, provided greater detail at the global level, including:

• Reporting: About a third (31%) reported the attack to the local data privacy agency and 25% notified law enforcement (with potential overlap between these two responses).
• Why some companies paid: Over half (51%) said they wanted to recover their data quickly, while 37% believed they could get some or all of their money back, and 26% feared their data would be publicly released or sold.
• Why others didn’t pay: Nearly half (47%) thought that paying ransom would only encourage another attack on their company, while the same number said they had sufficient data backup and recovery systems to forgo paying. Only about one in 10 feared they would be sanctioned by officials for paying the ransom.

In the Ransomware Readiness survey, 77% of companies reported feeling prepared to fend off ransomware attacks. But the report also found that 80% of companies had been successfully attacked, delivering a mixed prognosis on ransomware for the year ahead.

The Bottom Line

2022 is likely to produce more requirements for companies to report ransomware attacks and payments. Some observers are even predicting bans on ransom payments in certain situations or countries. Meanwhile, many companies are just paying up.

[i] “Following SolarWinds & Colonial Hacks, Leading National Security Senators Introduce Bipartisan Cyber Reporting Bill,” Sen. Mark R. Warner

[ii] “Cybersecurity Incident Notification Act,” U.S. Senate

[iii] “Cybersecurity Incident Reporting Act,” U.S. Senate

[iv] “Warren and Ross Introduce Bill to Require Disclosures of Ransomware Payments,” Sen. Elizabeth Warren

[v] “Ransomware and Financial Stability Act,” U.S. House of Representatives

[vi] “State Legislatures Consider Bans on Ransomware Payments,” JD Supra

[vii] “Amendment,” Politico

[viii] “Twice as Fast, Twice as Much: New Notice Requirement for Cyber Incidents,” JD Supra

[ix] “Obligation to Proactively Reduce Vulnerabilities to Ransomware Attacks and

Requirements Regarding Health Data Breach Reporting,” California Department of Justice

[x] “Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments,” U.S. Treasury Department

[xi] “The Top 8 Cybersecurity Predictions for 2021-2022,” Gartner

[xii] “U.S. Chamber Calls on U.S. Government to Act Decisively Against Cyber Threats to Deter Further Attacks,” Chamber of Commerce

[xiii] “Combating Ransomware,” Ransomware Task Force