No Easy Answers to Ransomware Riddle

Imagine you’re a director of a real estate company tasked with hiring a new chief executive. “Understands best practices in information security” might not be on your list of must-have qualifications. But maybe it should be.

The Securities and Exchange Commission this week announced that it settled charges against First American Financial Corporation stemming from a cybersecurity vulnerability that allegedly left more than 800 million sensitive images unsecured. First American didn’t even get hacked. It was bad enough, in the SEC’s eyes, that the company’s internal controls didn’t prompt employees to inform the C-suite.

Welcome to corporate management in the age of ransomware. This year, attacks on the Colonial Pipeline and plants owned by meat supplier JBS have drawn attention to the mounting threats posed by data hostage-takers. Companies disclosing that they’ve been targeted by recent ransomware attacks and may suffer adverse operational and financial impacts also include Allied Healthcare Products (sub. req.) and carpet manufacturer Dixie Group (sub. req.)

Cybersecurity specialists say online criminals are just getting warmed up, with targets such as water and power infrastructure ripe for attack. The fact that the most nefarious networks of e-criminals are operating in Russia and former Soviet republics makes going after them directly extraordinarily difficult.

According to security firm Recorded Future, a successful ransomware attack occurred about every eight minutes in 2020. Another analysis found that victims paid some $350 million in cryptocurrency ransom last year to perpetrators holding their data hostage. That represented a year-over-year increase of more than 300%. Worse, a recent Cybereason survey of more than 1,200 security professionals worldwide found that about 80% of businesses that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers.

The spike in online thievery has left President Biden and his administration sounding the alarm on cybersecurity, urging businesses to fortify their defenses. The federal government has taken concrete steps to beef up security, including writing legislation that would pour $500 million into cybersecurity on the state and local levels. Biden also signed an executive order in May requiring companies that sell software to the government to disclose breaches of their systems.

Meanwhile, the SEC can use its authority to motivate corporate laggards to bring their cybersecurity defenses up to par. Sanctioning companies like First American for insufficient controls suggests the agency isn’t playing around. But while that strategy may work on public companies, the SEC lacks authority over private businesses. Unfortunately, that group owns most of the country’s infrastructure assets.

The Justice Department’s announcement that it recovered a sizable chunk of the Colonial Pipeline ransom did offer one intriguing possibility for deterring hackers: hitting them in the e-wallet. The FBI seized control of an online account holding nearly 65 Bitcoins, valued at approximately $2.3 million. Given that hackers prefer to deal in cryptocurrency, a reliable approach to disrupting those payment flows could deal a serious blow to the online extortion racket.

Latest Articles

Could FTC’s Updated Premerger Notification Form Usher Heavier Filing Burden?

The Federal Trade Commission and Department of Justice Antitrust Division on October 10 announced approval of long-awaited changes to a premerger notification form that provides in...

Read More

Cybersecurity Threats to Financial Services Emerge with Growth of AI

The hit film Terminator 2: Judgment Day cemented Arnold Schwarzenegger’s leading-man status with his portrayal of a reprogrammed T-800 Terminator assigned to help humanity stop the...

Read More

Companies Forced to Confront Geopolitical Risks

When JPMorgan Chase CEO Jamie Dimon talks, people in the business world listen. Some of his remarks in the banking giant’s latest earnings release sent a chilling message. “We have...

Read More