Business Exposure to Internet Crime
Each year, the Internet Crime Complaint Center (“IC3”) of the Federal Bureau of Investigation publishes its Internet Crime Report. The IC3’s 2020 Internet Crime Report includes startling information about the continuing increase in internet crime.
- IC3 received from the American public 791,790 complaints of Internet crime in 2020, a 69% increase from 2019.
- The reported losses associated with those complaints exceeded $4.1 billion
- Business email compromise schemes were the most costly—19,369 complaints with adjusted losses of $1.8 billion.
- Phishing schemes were the most numerous—241,324 complaints with adjusted losses of $54 million.
- There were 2,474 ransomware incidents reported to IC3; the number of ransomware attacks is likely much higher as many victims do not report them to IC3.
Perpetrators of internet crime schemes are operating from many foreign countries as well as the United States. They seek easy targets, those businesses, and individuals that are the most susceptible to attack – those with vulnerabilities in their physical and digital defenses. Their methods evolve and have become more sophisticated and harder to detect. Most cyber experts acknowledge that virtually every domestic enterprise will experience one or more cyber-attacks in the coming years – the appropriate question is when the attack(s) will occur, not whether it will happen. The potential consequences to a business of a successful cyber-attack range from moderate to catastrophic, including the loss of access to the business’s data and/or computer systems, the inability of the business to conduct normal operations, unauthorized funds transfers, theft of business secrets, exfiltration of the business’s data containing personal identifying information of employer and customers, and payment of ransomware demands ranging from $50,000 to $10,000,000 or more.
Because criminals find new ways to gain access to computer systems, there is no absolute solution to the risk of cyber-attacks. Burr’s cyber team recommends that a business enterprise implement the following methods and strategies in preparation for the inevitable attacks.
- Regular Backups. Regular (at least weekly) backups of business data, system images, and configurations to servers that are offline and completely isolated from the business’s servers provide significant business continuity protection. These should be supplemented by daily (or more frequent) online backups. All backups should be tested regularly.
- Software Updates. Businesses should regularly update their software systems as patches become available. Out-of-date software can be an early target for cybercriminals especially if the software contains known weaknesses. The longer software has been out of date, the more time attackers have to weaponize exploits to take advantage of vulnerabilities. It can be difficult to implement regular software patching.
- Asset Management. A business cannot protect its data and systems unless it is fully aware in real-time of all computers and devices that comprise the systems or have access to them.
- Regular Employee Training. Phishing attacks represent the most common successful method of attack. A single mistake by a single employee can introduce damaging malware into the business’s system. A business should invest in regular training of all employees so they can recognize and avoid phishing attacks and social engineering. The training should provide instructions for employees on how to report internally a potential phishing attempt or other suspicious activity. Additionally, businesses should work to develop a culture of disclosure as opposed to cover up regarding cyber incidents. Employees should be incented promptly to report any suspicious activity, even if the employee has made a mistake and unwittingly facilitated an attack.
- Computer System Secure Architecture. It is imperative that a business implement (i) network segmentation – compartmentalize and isolate servers with sensitive information, and (ii( the principle of least privilege – limit access to those servers to only those persons who need access to carry out their responsibilities. The Burr cyber team strongly recommends multifactor authentication for all users with privileged access.
- Outsourced IT. If the business uses a third party for IT services, periodic and detailed review by counsel and computer consultants of the third party’s practices, procedures, and contractual obligations to the business is warranted, in particular the reporting obligations owed by the third party to the business regarding cyber incidents. The third-party IT vendor is likely motivated to minimize, and not report, incidents to the business. Thus, independent oversight of the third-party IT provider on a periodic basis can add a layer of protection.
- Cyber Insurance. As the frequency and intensity of cyber-attacks increase, it is imperative that businesses secure appropriate cyber insurance. Insurance coverage under traditional policies, such as crime coverage, may specifically exclude cyber losses. There are a host of new cyber insurance coverages available, including for breach, incident response, forensic investigation, data and system restoration, attorney’s fees, public relations, ransoms, and third-party litigation and liability. Businesses should explore these new coverages in light of their particular computer systems, information stored, and risks from cyber-attacks. It is crucial for a business to examine the choice of attorney and forensic investigator requirements in each cyber policy to determine the need for pre-incident conflict waivers and the requirements regarding notice, cooperation, and retention of outside professionals. Also, make sure that the coverage amounts are sufficient to adequately address a potential breach. A review of a business’s existing and potential future cyber insurance coverage by counsel and cyber broker is recommended. Finally, if a business has cyber insurance coverage, it is essential that all information regarding the coverage, including the existence of the policy and the policy limits, be maintained offline to avoid discovery in a ransomware attack.
- Incident Response Plan. An essential tool for any business is the incident response plan – the written plan for how the business will react and respond to a cyber-attack. The plan should include checklists of the many tasks to be accomplished soon after the attack is recognized and assign responsibility for the performance of those tasks, provide for an alternative communications methodology for the team in the event the business’s email system is unavailable or compromised, and establish decision-making authority. Before the plan is adopted, it should be tested in a mock cyber event. The test may reveal that the plan cannot be effectively or efficiently implemented - perhaps one team member is overburdened with tasks. The tests may help a business determine under what conditions, if any, it would be willing to pay a ransomware demand. Once adopted, the plan should be reviewed and updated periodically.
- Third-Party Forensic Auditing & Testing. Utilization by a business of independent, third-party forensic computer consultants to audit the business’s computer security systems and practices and/or to conduct penetration testing of the business’s systems can provide unvarnished information to the business’s senior management and board as to the business’s readiness to fend off the cyber-attacks of the future.
- Communication Consultants. In the event a business suffers a cyber-attack that renders the business’s servers unavailable or otherwise adversely impacts the business’s operations, an immediate challenge facing the business will be communications – the information to be provided about the situation, what person delivers the communications on behalf of the business, the constituencies that receive the information, and the timing of the communications. A communications consulting firm can be of enormous assistance to a business in a cyber-attack crisis. Engagement of the communications specialist in advance of the inevitable cyber-attack improves both the business’s preparation for the potential crisis presented by the attack and the business’s ability to communicate quickly and effectively during a crisis.
- Computer Consultants. Outside computer consultants can add value to a business in many ways, including dealing with a cyber-attack. Prior familiarity with the business’s servers and systems on the part of these consultants will of course enhance their ability to help the business thwart an attack, determine how the cybercriminals gained access, and protect the business’s systems as soon as possible.
- Engagement with Law Enforcement. One of the initial steps in certain cyber-attacks is to report the attack to law enforcement, in particular the Federal Bureau of Investigation and IC3. Establishing a relationship with the local FBI office can facilitate coordination and assistance in the event of a cyber event, especially a ransomware attack. Law enforcement may be able to provide information regarding particular groups involved in an attack, such as any known association with sanctioned entities (see item 15 below).
- Alternate Communications System. A business’s email network may become unavailable as a result of a cyber-attack. To minimize the impact of such an event, the persons on the cyber response team should be prepared to communicate without business email via an alternative communication system, such as a secure messaging application like Signal. Additionally, employee personal phone numbers should be maintained and stored offline.
- Contract Review. A business may be subject to contractual obligations with customers, vendors, and other third parties that mandate specific disclosures or actions by the business in the event of cyber events, especially events involving the exfiltration of data. The regular, periodic review of the business’s contracts to determine and catalog obligations potentially triggered by cyber-attacks eliminates the need to conduct such a review during a cyber-attack.
- Sanctions Compliance Program. The adoption and use by a business of a compliance program with respect to U.S. sanctions regulations can help a business avoid violations of such sanctions regulations in connection with the payment of ransomware. Additionally, the adoption and use of such a program may enable a business to avoid civil penalties that can be levied by the United States Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) related to ransomware payments. OFAC issued an advisory on October 1, 2020, to highlight the sanctions risks associated with ransomware payments related to malicious cyber-enabled activities. Victims of ransomware attacks that pay ransomware demands, along with financial institutions and other entities, including cyber insurance businesses, that facilitate such payments, risk imposition of civil penalties by OFAC based on strict liability under U.S. sanctions regulations if the recipient of the payments is a “prohibited person” – a person on OFAC’s Specially Designated Nationals and Blocked Persons List, other blocked persons, or a person covered by comprehensive country or region embargoes (e.g. Cuba, Iran, North Korea, and Syria). Because these civil penalties can be imposed by OFAC under strict liability, a ransomware victim paying the demand to a prohibited person is potentially subject to such civil penalties even if the victim did not know or have reason to know that it was engaging in a transaction with a prohibited person. OFAC reiterated in the October 1, 2020 advisory that it encourages all financial institutions and other businesses (including victims of ransomware attacks) to implement a risk-based compliance program to mitigate exposure to sanctions-related violations. Under OFAC’s Economic Sanctions Enforcement Guidelines, in the event of an apparent violation of U.S. sanctions laws or regulations, “the existence, nature, and adequacy of a sanctions compliance program is a factor that OFAC may consider when determining an appropriate enforcement response (including the amount of civil monetary penalty, if any).”