Insight Archive  | Subscribe to our insights >>

Aon  |  Professional Services Practice
To Pay or Not To Pay – Professional Service Firms and Ransomware

Release Date: January 2022
pdf download Implications for D&O Litigation From Climate-Related Risk

As one of the most targeted industry sectors, professional service firms must carefully consider the implications of responding to ransomware demands.

In June 2021, two very public ransomware attacks, against a fuel pipeline company and a meat processing company, caused major supply-chain issues in the U.S., drawing attention not just from the news cycle but from the federal administration.

On September 21, 2021 the U.S. Department of the Treasury Office of Foreign Asset Control (OFAC) published an advisory highlighting its significant efforts in imposing sanctions on bad actors in the ransomware ecosystem, as well as the concomitant sanctions risks that victims of ransomware attacks may now face when making or facilitating ransomware payments to sanctioned ransomware operators.

Indeed, since September 2021, OFAC has imposed sanctions on ransomware players, including two cryptocurrency exchanges (SUEX and Chatex) and on any “others who material assist, sponsor, or provide financial, material or technological support” for their activities. In conjunction with these OFAC sanctions, the Department of Justice (DOJ) and State Department also took public action in the war against ransomware attacks by, among other efforts:


And on December 5, 2021, Gen. Paul M. Nakasone, the head of U.S. Cyber Command and the director of the National Security Agency publicly acknowledged that the agencies under his control, in conjunction with other agencies, “have taken actions” and “imposed costs” on the ransomware operators.

These actions by the U.S. administration aim to disrupt the economic infrastructure that supports the threat actors and signal that ransomware gangs can no longer rely on their geography and the “anonymity” of cryptocurrency transactions to shield them. There is some evidence that these actions, including the DOJ’s recent successes in intercepting ransom payments, are having an effect on the ransomware environment. It also appears that the threat actors are now focusing attention on smaller and less controversial entities, avoiding targets that might cause widespread economic or social impact, and avoiding “headline making” ransom demands.

At the same time, the federal administration and regulatory authorities are putting pressure on victims, using a combination of “carrot and stick” incentives to encourage better cybersecurity practices and more disclosure to authorities when threat actors strike.

In the first instance (the carrot), OFAC’s September 21, 2021 advisory emphasizes that if a ransomware victim has followed cybersecurity best practices (such as those promulgated by CISA) and has engaged law enforcement or other authorities in the response to the attack, OFAC will consider these as mitigating factors when considering enforcement action against the victim for paying a ransom to a sanctioned entity.

In the second instance (the stick), the DOJ announced in October 2021 that it will use the False Claims Act to pursue organizations that misrepresent their cybersecurity efforts or fail to appropriately report cybersecurity incidents.

The increased use of sanctions against ransomware groups and their funding mechanisms puts the victims of ransomware attacks in a difficult position:

  • Should they refuse to pay and accept the potentially devastating consequences (loss of business, lawsuits from published client information, reputational damage, even closure), or
  • Pay and risk breaching OFAC strict liability rules if any part of the payment touches a sanctioned entity (e.g., a cryptocurrency exchange such as SUEX or Chatex)?


Why Authorities Recommend Not Paying Ransoms:


  • Paying ransoms keeps the threat actors in business and funds new attacks
  • The payment may breach OFAC sanctions
  • It does not guarantee that the decryption key provided by the attacker will work or that data will not be leaked by the attacker
  • It does not provide immunity from further attack (according to a Cybereason study, 80% of victims who paid the ransom experienced subsequent attacks)

While authorities do not want victims to pay, they are not explicitly prohibiting anyone from doing so, recognizing that there are circumstances when the victim has little or no choice but to pay.


Factors to Consider Before Paying a Ransom


  • Is it truly necessary? Many issues must be considered and discussed with breach counsel, law enforcement, expert consultants/ransom negotiators and insurers.

    • Was highly sensitive data stolen? What is the impact on the firm if the data is released? If client data is stolen, might this give rise to a malpractice claim? (Coveware reports that in 83% of ransomware attacks there is an associated threat of data exfiltration).
    • Are viable backups available? How much data will be lost and rework required if only backups are used for restoration?
    • How long will the firm’s systems be down due to the attack? According to a Coveware report, average downtime from an attack is ~3 weeks.
    • What is the relative impact on the firm’s revenue, reputation and business between paying for a decryption key and being back in business more quickly (bearing in mind that on average only 65% of data is restored after a ransom payment) and not paying, with the potential that the attackers may launch additional attacks, such as Denial of Service?
    • Will paying the ransom pay for itself in reducing the overall cost of the incident and the time incurred dealing with it? The average cost for a U.S. entity to resolve a ransomware attack in 2020 was $2.09m (but this number is heavily skewed down by the large number of attacks on smaller and mid-sized organizations); among law firms Aon Professional Services Practice has seen multiple ransomware losses of $5m and more.

  • Is the threat actor a sanctioned entity? While OFAC is willing to accept that sometimes the victim has no choice but to pay a ransom, involvement of a sanctioned entity must be a material factor in how a firm responds to the situation.

    • Involvement of a sanctioned entity will curtail and potentially proscribe involvement of many consultants that insurers would usually make available, making it harder for the victim to access the help that may reduce or even eliminate the need to pay a ransom.
    • Can the firm demonstrate compliance with the recommendations of the OFAC advisory such that it will materially reduce or eliminate penalties if the firm does pay a sanctioned entity?
    • Is the firm prepared to involve law enforcement and other authorities, as required by the September 2021 OFAC advisory, in the response to the incident, providing full cooperation and transparency?
    • If the firm is determined to pay a sanctioned entity, are necessary processes and mechanisms for doing so in place?

  • Is the firm prepared? Aon’s 2021 Cyber Security Report indicates that only 31% of respondents reported having adequate business resilience measures in place to deal with ransomware. The cost of responding to and remediating a ransomware attack varies greatly and preparation reduces the overall cost.

    • Does the firm have an incident response plan that has been subjected to tabletop simulations so everyone knows what is involved, what approvals are required from the firm’s executive committee and what external resources should be engaged?
    • Does the firm have a business continuity plan that has been practiced with “live fire” restoration from backups, ensuring that the restoration process runs smoothly and the firm knows that the integrity and viability of backups has been tested?
    • Has the firm engaged with breach counsel and other external resources and secured pre-approval from insurers for preferred vendors?
    • Has the firm purchased cyber insurance and reviewed the policy to ensure that the coverage meets expectations, that limits are sufficient and that terms and conditions are understood and observed?


Conclusion


The decision on whether to pay a ransom is complex and will be dependent on the specific circumstances of the firm, the cyber event itself and the economics of the situation — there is no simple answer. The best response to the threat is to be prepared:

  • Deploy protections that are known to reduce the threat
  • Review cyber insurance coverage options
  • Create and implement an Incident Response Plan and Business Continuity Plan
  • Rehearse using tabletop simulations, “live fire” restorations and penetration testing.


Tom Ricketts

Contact


The Professional Services Practice at Aon values your feedback. To discuss any of the topics raised in this article, please contact Tom Ricketts.

Tom Ricketts
Senior Vice President and Cyber Risk Leader
New York