Public Finance Alert | April.03.2018
The recent ransomware attack on the City of Atlanta highlights the fact that the threat of ransomware affects all organizations, regardless of the nature of their industry, business, or operations, and that political subdivisions and quasi-government entities face particular challenges in protecting themselves and responding to attacks. Counties, cities, political subdivisions, and nonprofit corporations have become a favorite target for cybercriminals because they are increasingly leveraging technology to collect, store, and use personal information to deliver services and programs to individuals, and because their networks tend to run on a complicated fabric and interconnectedness of legacy systems that are difficult to protect and defend. As a result, attackers are targeting emergency response systems, disaster response systems, public utilities payment and information systems, police department systems, election and voter information systems, medical information systems, and general operating systems of public entities. A recent International City-County Management Association survey of chief information officers found that about 44 percent of local governments reported experiencing daily cyber-attacks (without regard to type or threat vector), with about one-quarter of local governments reporting attacks at least as often as once an hour. Yet, less than half of the local governments surveyed said they had developed a formal cybersecurity policy, and only 34 percent said they had a written strategy to recover from breaches.
While public entities are often resource limited, there are basic steps that they can take to better lower and manage certain risks from cybersecurity attacks. Below, we review some of the basic attack vectors to which public agencies and sector industries are particularly vulnerable, and some of the best practices that resource-constrained organizations can implement.
Ransomware is computer code (malware) that is typically deployed into a network, often when an unsuspecting user clicks on a malicious link or opens a file in a phishing email. Once inside the network, ransomware typically self-proliferates and encrypts data inside the environment, rendering the data inaccessible and essentially, useless. A successful ransomware attack can result in the temporary or permanent loss of sensitive information, serious disruption to operations, financial costs of restoring systems and data, and possible reputational or brand impact to the enterprise.
Generally, the attacker will provide a decryption “key” only after the company pays a ransom (almost always in hard-to-trace Bitcoins). Other forms of ransomware can destroy or delete data, hide data by relocating it within the network, or even ex-filtrate data outside of the company’s environment.
In addition to ransomware, attackers are deploying a fairly standard array of attacks on public entities, in an effort to gain access to their systems and data, or simply to disrupt their operations, including:
Historically, ransomware attacks were viewed primarily as a business continuity issue, with the primary post-ransomware workflow focused on getting back online and restarting operations. However, as cyberattackers have become more sophisticated, ransomware has become more than just the end-goal, with some attackers utilizing ransomware to mask or conceal other exploits. In other words, a ransomware attack may just be a sign of something worse, and thus merits a more sophisticated response. In particular, several regulators have articulated concerns that organizations should address in responding to a ransomware event.
Health Information Portability & Accountability Act (HIPAA): For HIPAA regulated entities, the Health and Human Services Office of Civil Rights (HHS OCR) issued guidance warning that the HIPAA Breach Notification Rule is a “fact specific” inquiry, and where Protected Health Information is “encrypted as the result of a ransomware attack, a breach has occurred because the PHI encrypted by the ransomware was acquired (i.e., unauthorized individuals have taken possession or control of the information), and thus is a disclosure not permitted under the HIPAA Privacy Rule.”
Federal Trade Commission (FTC): Although the FTC has very little jurisdiction over public entities, it is seen as the leader in data security enforcement, with many other regulators looking to it and its actions as the North Star for enforcement theories and priorities. The FTC recently reinforced the seriousness of ransomware, signaling that preventable ransomware attacks – ones that exploit known vulnerabilities – may violate Section 5 of the FTC Act. As then Chairwoman Edith Ramirez explained: “A company’s unreasonable failure to patch vulnerabilities known to be exploited by ransomware might violate the FTC Act.”
Federal Bureau of Investigation (FBI): The FBI recently urged companies to come forward and report ransomware attacks to law enforcement. Notwithstanding organizations' concerns with reporting ransomware to law enforcement, the FBI is calling on organizations to help in the fight: “Victim reporting provides law enforcement with a greater understanding of the threat, provides justification for ransomware investigations, and contributes relevant information to ongoing ransomware cases. The FBI does not support paying ransom demands.” According to the FBI, some organizations never get a decryption key, even after payment. And, every payment “emboldens the adversary to target other victims for profit,” incentivizing similar conduct by other criminals seeking financial gain.
Moreover, U.S. state breach notification rules are generally triggered by an unauthorized “acquisition” to certain delineated types of unencrypted personal information. Ransomware that only encrypts data inside an environment, but does not allow an attacker to ex-filtrate it (e.g., download, email, transfer), is unlikely to trigger a notification duty under the statutes that define breach as the “unlawful and unauthorized acquisition” of personal data. However, for the small number of states that define a breach as the “unauthorized access” to personal information, ransomware could trigger breach notice if the attack resulted in the viewing of ex-filtrated personal information.
In addition to the direct damage caused by a breach, a cyber-attack in some cases could potentially cause a public entity’s credit rating to be downgraded. While no government yet has been downgraded because of a cyberattack, an S&P Global Ratings analyst has said that a cybersecurity incident could affect a public entity's credit rating. This is not only due to the financial cost of a cyberattack, but also the accompanying loss in taxpayer trust and the ability to raise taxes. The risk increases “particularly for smaller governments with less financial flexibility.”
The ransomware landscape dictates that organizations should consider proactive and reactive measures.
Proactive: On the proactive front, the focus should be on reasonable defenses and training. Among other things, organizations should consider:
Reactive: On the reactive side, the key is not to treat a ransomware event as simply that, but to conduct a reasonable investigation to determine whether other data/information was subject to unauthorized acquisition and/or access. The post-incident response workflows should consider (1) examining the nature and extent of personal information involved, including the sensitivity of the information and likelihood that it will be accessed; (2) whether the personal information was actually viewed, accessed, acquired or ex-filtrated; and (3) the extent to which the risk to the personal information has been mitigated.