No Easy Answers to Ransomware Riddle

Imagine you’re a director of a real estate company tasked with hiring a new chief executive. “Understands best practices in information security” might not be on your list of must-have qualifications. But maybe it should be.

The Securities and Exchange Commission this week announced that it settled charges against First American Financial Corporation stemming from a cybersecurity vulnerability that allegedly left more than 800 million sensitive images unsecured. First American didn’t even get hacked. It was bad enough, in the SEC’s eyes, that the company’s internal controls didn’t prompt employees to inform the C-suite.

Welcome to corporate management in the age of ransomware. This year, attacks on the Colonial Pipeline and plants owned by meat supplier JBS have drawn attention to the mounting threats posed by data hostage-takers. Companies disclosing that they’ve been targeted by recent ransomware attacks and may suffer adverse operational and financial impacts also include Allied Healthcare Products (sub. req.) and carpet manufacturer Dixie Group (sub. req.)

Cybersecurity specialists say online criminals are just getting warmed up, with targets such as water and power infrastructure ripe for attack. The fact that the most nefarious networks of e-criminals are operating in Russia and former Soviet republics makes going after them directly extraordinarily difficult.

According to security firm Recorded Future, a successful ransomware attack occurred about every eight minutes in 2020. Another analysis found that victims paid some $350 million in cryptocurrency ransom last year to perpetrators holding their data hostage. That represented a year-over-year increase of more than 300%. Worse, a recent Cybereason survey of more than 1,200 security professionals worldwide found that about 80% of businesses that paid ransom demands experienced a second attack, of which 46% believed the subsequent ransomware to be caused by the same hackers.

The spike in online thievery has left President Biden and his administration sounding the alarm on cybersecurity, urging businesses to fortify their defenses. The federal government has taken concrete steps to beef up security, including writing legislation that would pour $500 million into cybersecurity on the state and local levels. Biden also signed an executive order in May requiring companies that sell software to the government to disclose breaches of their systems.

Meanwhile, the SEC can use its authority to motivate corporate laggards to bring their cybersecurity defenses up to par. Sanctioning companies like First American for insufficient controls suggests the agency isn’t playing around. But while that strategy may work on public companies, the SEC lacks authority over private businesses. Unfortunately, that group owns most of the country’s infrastructure assets.

The Justice Department’s announcement that it recovered a sizable chunk of the Colonial Pipeline ransom did offer one intriguing possibility for deterring hackers: hitting them in the e-wallet. The FBI seized control of an online account holding nearly 65 Bitcoins, valued at approximately $2.3 million. Given that hackers prefer to deal in cryptocurrency, a reliable approach to disrupting those payment flows could deal a serious blow to the online extortion racket.

Latest Articles

SPACs: The Next Generation

Just when most of us had mentally filed SPACs alongside pandemic-era sourdough starters and Zoom happy hours, special purpose acquisition companies—the blank-check vehicles that on...

Read More

Companies Shrug at Tariffs in Latest Quarterly Reports

Earlier this month, we told you about some of the perplexed responses in companies’ disclosures regarding the federal government’s tariff policy. Weeks later, issuers continue to e...

Read More

SEC’s AI Stance Holds Steady Under New Leadership

Despite headlines about President Trump rescinding the Biden administration’s executive order on artificial intelligence, the SEC’s stance on AI-related disclosures hasn’t shifted...

Read More