The price of paying cyber ransoms
It can embolden hackers to grow their ransomware business. Should the government intervene by making it illegal to pay up?
Big game hunting. That's what the cybersecurity industry calls targeting large enterprises that cannot tolerate sustained disruptions to their networks, and who are willing to pay large sums of money to quickly see their operations quickly restored following a major hack. And it's gaining popularity among cybercriminals.
"Researchers estimate that the average ransom demand increased by 33% since Q4 2019 to approximately $148,700 CAD in Q1 2020 due to the impact of targeted ransomware operations," according to the 2020 National Cyber Threat Assessment, put out by the Canadian Centre for Cyber Security.
Meanwhile, multi-million-dollar ransom demands are more and more common. In May, Colonial Pipeline paid close to US$4.5 million after a ransomware attack forced the fuel transporter to shut its operations. Sometimes insurers are forced to foot the bill. The worry now is that companies and their insurers are emboldening cybercriminals by agreeing to these large payouts. The question is, should it be illegal to pay ransoms to dissuade them?
It's not as simple as it sounds, says Chantal Bernier, who leads the privacy and cybersecurity practice group at Dentons Canada LLP.
"As a former policymaker, I consider legislation the instrument of last resort," adds Bernier, who was the interim Privacy Commissioner of Canada in 2013 - 2014. "The simple reason is that it removes so much discretion, and in relation to ransomware, companies need discretion."
In breach response plans she prepares for clients, Bernier includes a module on decision-making around ransomware incidents. A company can decide that the default position is not paying the ransom. But there are circumstances where paying up is the best solution due to the sensitivity of the compromised information or the amount of ransom demanded. Perhaps mission-critical data has already been compromised, or there are considerations around the extent of the backups to recover information.
"If there was legislation prohibiting the payment of a ransom, I would certainly want to see in it the flexibility that allows some case-by-case analysis to take into account [these] criteria," Bernier says.
David Krebs, an associate counsel with Miller Thomson LLP in Saskatoon, notes that if a business has proper backups in place, the calculation may be monetary. The company can then focus on a PR strategy to manage reputational issues around stolen data.
"They can say we'll manage, but at least we didn't pay a ransom," says Krebs. "I don't know if the health sector would necessarily have that luxury."
Addressing ransomware attacks requires taking a holistic approach, says Bernier. "We still need some room for where the ransom attack is crippling and therefore, the only way to protect the data is by paying the ransom immediately," says Bernier.
Bernier adds that under the Personal Information Protection and Electronic Documents Act — PIPEDA — targeted organizations must keep records of cyber-security incidents accessible to the Office of the Privacy Commissioner of Canada upon request.
"There could be specific attention to reports on ransomware," Bernier suggests. "Did you pay the ransom? Why did you choose to pay or not pay? So that we could bring some accountability to ransomware payments while still leaving the organization the discretion to make the right decision. There are cases where the refusal to pay the ransom can lead to the exposure of personal data of great consequences, as we have seen in the past."
Krebs notes that Bill C-11, short-titled the Digital Charter Implementation Act, along with other legislation in Quebec and Ontario, would carry with them more robust enforcement and higher penalties for digital privacy.
"Not only are you faced with business interruption or your reputational costs, you might also face enforcement through the Privacy Commissioner or the [proposed] tribunal," says Krebs. "It's not only the breach that gets you into trouble; it's also what you did before. If you keep data forever, the breach is going to have a much bigger impact."
Bernier notes that the provisions under Bill C-11 ought to encourage businesses to pursue good cyber-security hygiene and personal data governance. "It's not in the law, but in complying with the privacy program requirements, as privacy counsel for companies for whom I do build privacy programs, there does need to be a module on ransomware payment."
Insurance coverage is trickier. In May, global insurance company AXA announced that it would stop writing cyber insurance coverage in France that reimburses customers from making payments to ransomware actors. Other insurance companies are expected to follow suit.
"Everything depends on what your cyber policy covers, and there are a host of different products that you can purchase and not everyone purchases the same thing," says Ellen Snow, a partner at Clyde & Co LLP in Toronto. "Just because there isn't for a ransomware payment, it doesn't mean that there isn't coverage for other aspects of the event."
Policies can cover everything from business interruption coverage and the hiring of forensic IT services. In certain circumstances, there is coverage for extortion threats.
"If payment of ransomware demands is made illegal in Canada, then obviously insurance providers couldn't provide that coverage in Canada, but that wouldn't stop them from providing other types of coverage," says Snow.
According to Bernier, there may be an upside to insurance companies putting their foot down.
"My impression is that it will bring discipline around paying ransoms or not, meaning that companies who received the ransom notice may have simply paid it because it was covered by insurance," says Bernier. "I certainly see the point of these insurance companies because I think they must be confronted with situations where the ransom was paid a little too liberally without a full consideration of other options."
Of course, targeted companies need to be mindful of existing criminal prohibitions, namely against paying ransom to listed terrorist entities or known criminal organizations. When facing a ransom demand, a company needs to do its due diligence, usually working with forensic IT service providers. These specialists, who can negotiate with cybercriminals, will first follow their trail of Bitcoin wallets and IP locations to determine if there is a connection with an entity or country on a sanction list.
But if cyber criminals don’t receive payment because it’s illegal to pay the ransom, there is a risk they will turn their target a different sector, like health or critical infrastructure.
Bernier warns that another unintended consequence could be that companies will choose to pay the ransom anyway, but in Bitcoin under the table, forcing transactions underground.
Besides, there are real-world challenges to consider before prohibiting the payment of ransoms. "The goal would be to cut down on ransom attacks in general," Snow says. "Ransomware is a business. It's an illegal enterprise, but it's still a business, and it's run out of jurisdictions where it's difficult to prosecute these individuals."
Still, she wonders whether hackers would target companies less frequently in a jurisdiction that has a prohibition in place, "because it's more difficult to get the payout." She also notes that in the U.S., the Office of Foreign Assets Control announced it would take a tougher stance on ransomware payments.
"There's probably a good case to consider whether or not more stringent sanctions are appropriate in the circumstances," says Snow. "It's a difficult question that requires consideration, but it's definitely a conversation that needs to be had."