Cybersecurity issues continue to keep in-house counsel up at night, so many legal departments are examining their cyber incident response plans and tightening up security amid a rise in ransomware attacks.
At a recent webinar hosted by Norton Rose Fulbright LLP, experts examined prevention and recovery strategies, as well as legal and regulatory considerations for dealing with a ransomware attack.
Imran Ahmad, partner, and Canadian head of technology, and co-head of information governance, privacy and cybersecurity at Norton Rose Fulbright outlined Two major developments that have occurred in ransomware over the past two years:”
Businesses should either have cyber insurance in place, or budget for the costs associated with a major ransomware incident, Ahmad said. The budget should cover legal costs, forensic investigations, incident response vendors, ransom payment, business interruption, e-discovery, and security hardening.
Over the past two years, cyber security insurers have spent more money on claims than they brought in on premiums, so they have heighted and restricted some of the conditions, and set lower limits, Ahmad added.
“With ransomware, it’s not a question of if or when, but how many,” said John Cassell, partner and Canadian co-head of information governance, privacy and cybersecurity at Norton Rose Fulbright. “In no other area does proactive preventative steps make as big a difference as when preparing for a ransomware incident.”
Being ‘ransomware ready’ allows organizations to respond with speed, and improves coordination and execution of the incident response, Cassell said. The first step is to develop or improve upon your cyber incident response plan, which will allow the organization to move quickly and in a coordinated manner when responding to a cyber incident.
The CIRP should include names and contact information of all individuals who are responsible for responding to a breach, including internal members of the organization and back-ups in case primary individuals are unavailable.
Another key element of the CIRP, Cassell said, is to pre-onboard incident response vendors including breach counsel.
“By pre-onboarding them, this allows them to be pre-approved by the cyber insurer, and critically improves the speed of the response because there is no due diligence required of these vendors, and they are already familiar with your environment,” said Cassell.
Another useful component to include in the CIRP is a regulatory reporting check-list with reporting requirements that are applicable in all jurisdictions where the organization operates.
Every minute counts when a company is crippled by the effects of a cyber security incident, so a co-ordinated response is key. Implementing the cyber response plan is the first step, after which it is important is to contain the incident and secure the environment, Ahmad said.
Although Ahmad does not recommend paying any kind of ransom, he said: “there are instances where you may want to engage with a threat actor to bring down the temperature, because if you don’t engage, sometimes they will start escalating by calling your customers or employees, therefore raising the pressure significantly for a potential payment.”
If the decision is made to pay a ransom, it is important to consider the legality of making this payment.
“If the individual making the ransom demand is on a sanctions list, either in Canada or some other jurisdiction, it would not be legal to make that payment,” said Stephen Nattrass, partner and head of the regulations and investigations team in Canada at Norton Rose Fulbright. If the demand has been made by an individual who is not specifically on the sanctions list but is connected to someone on the list, it is important to do due diligence to check if it is a spin-off group or a subsidiary.
After responding to a ransomware incident, it is imperative that organizations emerge from the incident in a stronger, more secure position.
“Organizations typically perform a 360-degree review of their entire environment,” said Cassell. “One of the most common remediation steps is implementing or improving an existing incident response plan.” Implementing or improving a back-up and restoration strategy is the next step, in addition to possible dark web monitoring, he added.