Last month, we discussed ways lawmakers aim to limit ransomware response options that businesses may consider during an incident. State legislatures, such as New York, North Carolina, Pennsylvania, and Texas, have introduced bills that would prohibit certain entities from paying a ransom in the event of an attack. On July 27, Bryan Vordran, assistant director of the Federal Bureau of Investigation’s (FBI) cyber division, told federal lawmakers that if the legislature bans ransom payments, it will be “putting US companies in a position of another extortion, which is being blackmailed for paying the ransom and not sharing that [information] with authorities[.]” Mr. Vordran said it is the FBI’s “opinion that banning ransomware payment is not the road to go down.”

Not everyone is convinced. U.S. Senator Benjamin Sasse questioned the FBI as to why it thinks its current deterrence tactics are working; “[i]t is pretty hard to see that from where we sit,” he said. Vorndran stated that “silence benefits ransomware actors the most,” and banning ransom payments will likely only result in fewer reported incidents. The FBI argued that lawmakers should instead create a federal standard that would “mandate the reporting of certain cyber incidents, including most ransomware incidents.”

The FBI’s wishes may come to fruition. Recently introduced in the Senate, the Cyber Incident Notification Act of 2021 would require “federal agencies, government contractors, and critical infrastructure owners and operators to report cyber intrusions within 24 hours of their discovery” to the Department of Homeland Security’s (DHS) Cybersecurity and Infrastructure Security Agency (CISA). In support of the bill, Senator Susan Collins argued that “[h]aving a clear view of the dangers the nation faces from cyberattacks is necessary to prioritizing and acting to mitigate and reduce the threat[.]” Proponents of the bill also hope that mandatory reporting will help create a “strong relationship between the government and individual businesses, [further arguing that] this legislation is an important step in that direction[.]”

The committee hearing and the introduction of the Cyber Incident Notification Act come at the heels of several high-profile ransomware attacks that have occurred during the COVID-19 pandemic, the most recent occurring to software provider Keyasa.

For now, leaders are reminded to follow several precautions to protect against ransomware. CISA recommends that businesses should:

  1. Never click on links or open attachments in unsolicited emails;
  2. Back up data regularly and keep it on a separate device;
  3. Segment data based on use cases;
  4. Practice proper cyber hygiene;
  5. Follow safe practices when using devices that connect to the internet;
  6. Restrict users’ permission to install and run software applications;
  7. Enable strong spam filters to prevent phishing emails from reaching the end users and authenticate inbound email to prevent email spoofing;
  8. Update software and operating systems with the latest patches; and
  9. Configure firewalls to block access to known malicious IP addresses.

For the complete list of recommendations, check out CISA’s Ransomware Guide. For business leaders interested in evaluating their cybersecurity practices on their networks, check out CISA’s just-released Cyber Security Evaluation Tool.