What proactive steps should companies take to prepare for a ransomware attack? Are there any best practices firms should consider, or does each institution need a tailored response plan?
Ransomware is one of the most common forms of cybersecurity attacks Canadian companies face, and studies suggest the prevalence of those attacks will only continue to increase. While it has become somewhat cliché, the phrase “it’s not if but when” (and in fact “how many”) is how an organization should think about its cyber attack preparedness, and overall cybersecurity posture. The importance of diligent and continuous preparation is hard to understate.
As a first step, it is recommended that all organizations, regardless of their size or resources, have some form of incident response plan in place that can be utilized and relied upon in the event of an attack. A good incident response plan effectively acts as a playbook that is used during an incident to quickly determine what personnel, internally and externally, should be engaged, how and to whom the organization will communicate about the incident (internally and externally) and the factors that will be considered as challenges arise and decisions need to be made. Increasingly, we see organizations adopting ransomware-specific playbooks/incident response plans within their broader incident response or business continuity plans. When a cyber attack occurs, speed of response is critical and organizations that have prepared and worked through various contingencies ahead of time typically fare much better than those that haven’t.
However, an incident response plan is not something organizations can simply “set and forgot” either. The plan should be revisited and revised regularly to adapt to the rapidly evolving threat landscape and changes within the organization. Companies should also test their plan regularly by engaging in tabletop or other exercises that simulate a cybersecurity incident and require stakeholders to work through the various challenges which arise during a cyber attack while using the incident response playbook as a guide. Tabletop exercises also serve as an opportunity to revise the plan in areas where it may have been deficient or ambiguous in the course of the simulation. Of course, the incident response plan needs to be stored in a location where it can be retrieved in the event of an attack which heavily disables the organization’s network and renders its data inaccessible (i.e., a physical copy and secure storage on the personal devices of key stakeholders is recommended).
When a business is hit by a ransomware attack, what are the factors that should determine their response? How much weight should be assigned to the services, properties, or data affected, and how much to the specific demands of the hackers?
Ransomware attacks are, at a minimum, highly disruptive to an organization’s business and operations and, at worst, catastrophic. An organization’s first priority when faced with a ransomware attack is to work to restore operations as quickly as possible. The extent to which the organization can carry on as usual will often dictate or heavily influence the response strategy. The value placed on impacted data or systems is unique to each organization, but it’s fair to say that the weight afforded to the hacker’s demands will depend on the options available to the company. If critical systems are impacted or operations are interrupted and the organization is incurring considerable business interruption damages, its bargaining position is far less advantageous than when viable backups are available and the options are to pay a ransom to restore access or undertake the manual effort of scrubbing hardware and restoring from those backups.
The threat actor’s demands also need to be weighed against the resources of the company. Ransom demands have, on average, been consistently increasing over the past several years. Unless the hackers are willing to negotiate on price, organizations can find themselves in a situation where they are simply unable to meet the demand and need to explore other options. Unfortunately, in the long term, those alternatives are often just as expensive as paying the ransom, if not more so.
Ideally, an organization faced with a ransomware attack will have a tested, yet flexible incident response plan in place which will allow the organization to quickly mobilize resources and help guide the decision making process. We frequently see incident response plans that include decision trees or a list of questions tailored to different incident scenarios which should be considered by the individuals responsible for making the critical decisions. In that respect, depending on the severity of the attack and the impact to the organization, decision making authority may rest at the C-suite or Board level, or may be entrusted to other senior leaders or management. Regardless, an organization will want to determine that ahead of time to ensure valuable time isn’t wasted in the heat of the moment trying to figure out who should make the important decisions.
Each organization is unique and every attack scenario introduces different considerations. That said, organizations that have planned for a crisis situation by structuring their IT infrastructure in a manner which minimizes, to the extent possible, the impact of a potential breach and that have a workable incident response playbook at their disposal typically fare much better at weathering the storm of a ransomware attack than those that don’t.
What factors do organizations consider when determining whether to make a ransom payment? If a ransom is ultimately paid, what negative consequences can the company expect to endure? Are there any circumstances under which paying the ransom would be illegal under Canadian law?
A variety of factors will typically play into the decision to pay a ransom demand, though the predominant ones are often: (1) the state of business operations, (2) data access and exfiltration, and (3) legal and ethical considerations.
If the organization can continue to operate, even at reduced capacity, and has the prospect of restoring affected systems through alternative means to a ransom payment (by way of viable electronic backups or even paper records), the decision makers can more readily weigh the hacker’s demand against the cost of alternatives. The organization may even be able to assert some leverage in negotiations with the threat actors to drive the demand down. Alternatively, if the organization is not operational and is faced with an extremely onerous or impractical path to recovery, there may be little choice but to pay the ransom provided the company has the means to do so.
To make matters worse, recovery costs can be difficult to quantify with lost profits, lost opportunities, downtime and restoration costs all needing to be accounted for. In some cases, organizations have refused to pay a ransom only to incur drastically greater costs to restore by other means.
Even when a ransom is paid and a decryption tool is acquired, they are not always 100% effective and decryption still takes valuable time during which the organization remains affected. There is also a risk that the hackers will seek to renegotiate once the organization has shown a willingness to pay and change the terms of the deal or demand more money.
Data Access / Exfiltration
One of primarily goals of the forensic investigation will inevitably be to determine the extent to which any of the organization’s data was accessed or exfiltrated (i.e., stolen) during the course of the attack.
The value placed on compromised or stolen data, which may be sensitive, confidential, proprietary or represent significant liability exposure in the wrong hands or if published, is highly situation specific. Even if the organization is able to restore its network from backups, it may be motivated to pay a ransom to recover or prevent the publication of its, or key business partners’, confidential business information or the personal information of its customers. The sensitivity of the information at issue will typically inform whether the organization is willing to entertain paying a ransom and the amount.
Legal and Ethical Considerations
The act of paying a ransom is not, generally speaking, illegal under Canadian law. Exceptions to this include payments made to individuals or organizations subject to sanctions under the United Nations Act or the Special Economic Measures Act which can attract significant penalties if violated. For that reason, it is imperative that a comprehensive sanctions check be completed and documented before any payment is issued. Furthermore, it is illegal to fund known terrorist organizations or to facilitate the laundering of the proceeds of crime. Beyond consulting with external counsel, organizations may want to consider utilizing a ransom negotiation specialist to ensure that proper due diligence is carried out before any payment is made.
There are certainly ethical considerations regarding funding criminal activity which can factor into the organization’s decision to pay a ransom.
If a ransom is paid and that fact becomes public, the organization may face reputational harm, lose customers and undergo scrutiny from regulators and prospective litigants. In addition, the organization may still be obligated to notify regulatory authorities and affected individuals of the incident under Canadian privacy laws, even if the data was recovered and its publication prevented by payment of a ransom. The company may also be at an increased risk for future attacks if other nefarious actors believe their efforts will be rewarded by the payment of a ransom.
A recent survey conducted by Canadian Internet Registration Authority revealed that 59% of respondents have taken out cyber insurance coverage as part of their cyber defence measures. Beyond coverage for a potential ransom payment, what other losses or expenses are typically covered by cyber insurance?
The cyber insurance market in Canada has matured significantly over the last 10 years. Many organizations from large multi-nationals to SMEs now recognize the need for cyber insurance coverage in the face of the escalating and rapidly evolving cyber threat landscape. In response, cyber insurance has evolved in its own right, developing coverages to meet the changing needs of insured organizations.
Today, cyber insurance frequently contains a mix of both first-party coverages for losses and expenses incurred by the insured organization and third-party coverages for claims against the organization by litigants or regulatory authorities pertaining to a data or privacy breach. Coverage for a ransom payment is a first-party coverage as it relates to an expense the organization incurs as a result of an occurrence, the attack, which triggers the policy. Other common first-party coverages include: costs to restore operations, rebuilding or replacing damaged hardware, business interruption damages, expenses associated with third party incidents with consequences for the insured organization, costs associated with notification to regulatory authorities/affected individuals and forensic investigation costs to determine the cause and extent of the breach, to name a few. Legal fees for breach coach counsel are also frequently covered.
In the event of a cyber attack, the organization should carefully review the terms of its policy as coverage is highly dependant on the wording of the policy and the unique characteristics of the incident.
What are the implications of the federal government’s proposed legislative reform on cybersecurity and privacy law for organizations faced with a ransomware attack?
This past summer, the federal government introduced significant changes to Canada’s cybersecurity and privacy landscape. Bill C-26, An Act Respecting Cyber Security, proposes to introduce new and amend existing legislation in order to regulate critical cybersecurity systems deemed to be vital to national security or public safety, including telecommunications, transportation, banking, nuclear energy, etc. Broadly speaking, the proposed legislation has implications for the operators of critical cybersecurity systems in relation to the detection, management, minimization and reporting of cybersecurity risk, of which a ransomware attack is certainly one.
Other recently introduced legislation, Bill C-27, Digital Charter Implementation Act, 2022, contains three new laws, one of which, the Consumer Privacy Protection Act (“CPPA”), would effectively replace the Personal Information Protection and Electronic Documents Act as Canada’s private sector privacy law. The CPPA, as currently drafted, introduces obligations around privacy management programs, expands access and mobility rights of individuals, enhances powers for the federal Privacy Commissioner and introduces significant monetary penalties for non-compliance. With regards to ransomware, the CPPA has provisions pertaining to minimum security safeguards for organizations and their service providers, a private right of action for individuals who suffer harm on account of an organization’s failure to comply with the CPPA (including in a breach context) and significantly increased exposure for fines and penalties.
While Bill C-26 and C-27 are in their early stages (both have only passed their first reading) and make look very different if and when they are passed into law, it seems clear that the federal government is intent on bringing about significant reform to Canadian cybersecurity and privacy law in one form or another. With the burgeoning prevalence of ransomware and other cyber attacks, we will be tracking the implications of this new legislation for businesses faced with such attacks with great interest.
Based on your experience, what observations can you offer to firms who are potential targets for ransomware attacks?
One word that we routinely emphasize to clients is resiliency. In the context of a cyber attack, resiliency refers to the ability of an organization to bounce back as quickly and efficiently as possible. Building resiliency starts well before an attack is launched with the development, refinement and testing of an incident response plan. The ability to quickly activate essential resources and to take timely and decisive action can not only limit the damage incurred as a result of a breach, but also save the organization considerable costs of recovery down the road.
Some beneficial information can come from highly publicized data breaches, even if its just lessons for what not to do, but valuable insight can be gleaned from similarly structured organizations, or those within the same industry, which have experienced a ransomware attack and survived to tell the tale. Perhaps the most significant takeaway is the manner in which the organization handled the incident from a communications and public relations standpoint. Was it a proactive or reactive approach? Was the organization transparent or guarded in its communications? Was the reaction positive or was the organization heavily criticized? The answers to such questions can help other organizations follow a response plan which is best suited to their industry sector or customer base. More granular aspects of a company’s response strategy can be difficult to access as organizations are reluctant to disclose attacks for fear of regulatory or legal implications.
Reporting incidents to local and national police authorities or the Canadian Centre for Cyber Security can also benefit other organizations who may be impacted by cyber attack in the future by contributing to the knowledge repository of those institutions.
Imran Ahmad is the Canadian head of Norton Rose Fulbright’s technology and innovation industry group and the Canadian co-head of the data protection, privacy and cybersecurity practice.
Imran advises clients across all industries on a wide array of technology-related matters, including outsourcing, cloud computing, SaaS, strategic alliances, technology development, system procurement and implementation, technology licensing and transfer, distribution, open source software, and electronic commerce.
As part of his cybersecurity practice, Imran works closely with clients to develop and implement practical strategies related to cyber threats and data breaches. He advises on legal risk assessments, compliance, due diligence and risk allocation advice, security, and data breach incident preparedness and response.
John Cassell is co-head of Norton Rose Fulbright Canada’s information governance, privacy and cybersecurity team. John regularly assists clients with complex privacy, data governance and cybersecurity law issues including responding to cross-border cybersecurity incidents, advising on cybersecurity preparedness and risk mitigation strategies, and Canadian anti-spam legislation compliance. John also assists clients with privacy and regulatory compliance issues including representing clients in proceedings before federal, provincial and international data protection regulators.
Travis Walker is a senior associate in Norton Rose Fulbright’s information governance, cybersecurity and privacy group. As part of his breach coach practice, Travis assists clients from a wide range of industries in the identification, investigation and remediation of all manner of cybersecurity attacks. He also works proactively with clients on the development of incident response plans and data management programs. Travis has a broad defense litigation background and experience defending IT service providers and data hosts in actions arising from data loss and unauthorized access to information.