New Ransomware Payment Reporting Requirements on Horizon

January 9, 2023, was the deadline for financial services companies doing business in New York (including cryptocurrency entities with a Bit license) to comment on new proposed cybersecurity regulations which would mandate, among other things, that such regulated entities report and justify any payments of ransomware or extortionate to the Department of Financial Services within 24 hours.

The proposed regulations include requirements of participation in cybersecurity decision-making by a “senior governing body,” a requirement of annual independent third-party audits, the requirement for a CISO with “adequate authority to ensure that cybersecurity risks are appropriately managed” and who reports to the senior governing body, as well as a comprehensive risk assessment program that including things like risk identification and evaluation (and mitigation), threat intelligence and comprehensive cybersecurity programs which include evaluation of third-party service providers.

The new regulations would require certain DFS-regulated entities to

  • Conduct independent cybersecurity audits annually
  • Conduct comprehensive risk assessments, including external entities, at least every three years
  • Review access privileges and authentication processes
  • Use endpoint detection and response to identify and respond to threats and anomalies, reporting and alerting and response

Reporting to DFS

The proposed regulations would also require all DFS-regulated entities to report to the superintendent “no later than 72 hours from a determination that a ‘cybersecurity event’ has occurred that (i) requires notice to be provided to any government body, self-regulatory agency or other supervisory body; (ii) has a reasonable likelihood of materially harming, disrupting or degrading any material part of the normal operation(s) of the covered entity; (iii) involves instances where an unauthorized user has gained access to a privileged account or (iv) resulted in the deployment of ransomware within a material part of the covered entity’s information system.” (Note that the proposed amendments continue to not define “materiality.”)

The reporting requirement would include not only reporting of such “cybersecurity events” within the regulated entity’s domain but also reporting such events that relate to any third-party service providers if that “event” would materially affect the operations of the regulated entity. This includes things like events that could materially harm, disrupt or degrade the normal operations of the regulated entity, incidents where an unauthorized user has gained access to a privileged account or events which resulted in the deployment or ransomware within a “material part” of the entity’s information system.

The reporting requirement is much more extensive than the typical “data breach” reporting covered by the law of various states which relate to the unauthorized acquisition of certain kinds of personally identifiable information. The regulation requires reporting of “events” that could impact security—not simply “breaches.” Thus, even if no data is compromised or acquired by a hacker or threat actor, the “incident” may have to be reported to DFS—and quickly as well.

Ransomware Reporting

In addition to requiring the reporting of the installation or deployment of ransomware into a significant or material part of a DFS-regulated entity’s network, the proposed regulations also would require regulated entities to notify DFS whether they had made a ransomware or extortionate payment within 24 hours and, within 30 days of making the payment, to provide DFS with a written description of reasons for payment, including diligence conducted to comply with OFAC and other relevant requirements prior to payment.

As a practical matter, this means that regulated entities must include detailed ransomware incident response procedures in their overall incident response plan. Ransomware response differs in material ways from ordinary “incidents” as ransomware (and extortionware) typically involves engagement with the threat actor to obtain keys to unlock files, devices, networks or data that have been “locked” by the ransomware. Thus, ransomware incident response plans need to include plans for:

  • Threat actor engagement—Who engages with the threat actor, who negotiates the ransomware payment (if any) and how are these logistics worked out?
  • Threat actor open source intelligence and dark web research—What is the history of the threat actor, where are they likely located, are they likely to provide keys if paid and are they likely to re-attack if paid?
  • Crypto-wallet investigation—What is the history of the wallet or wallets used to receive ransomware payment; can they be tracked to particular entities or locations?
  • Payment planning (availability of ransomware payments and conversion into cryptocurrency)—Who pays the money and how?
  • OFAC Specially Designated National compliance and possible licensing—What due diligence has the entity done to determine whether the threat actor is in a prohibited country or on a list or prohibited actors, and how can it demonstrate this to the satisfaction of OFAC?
  • Law enforcement coordination/cooperation—How and when to engage law enforcement in the course of a ransomware/extortionware incident.
  • Insurance considerations—Are ransomware payments or reconstruction costs covered by applicable cyberinsurance?
  • Increasingly, coverages require actual “physical destruction” of media containing information, which courts conclude does not include ransomware.
  • Forensic considerations for ransomware/extortionware—Who engages the forensics and incident response team, and who pays for them?
  • AML compliance with respect to ransomware payments—Federal law prohibits engaging in transactions that conceal the source or destination of funds, and ransomware payments to unknown entities may violate the AML reporting requirements.
  • Money transfer agent licensing requirements—Federal and state laws require those who transfer funds from one entity to another to be appropriately licensed. The payment of ransom may also require the use of licensed MTA’s in each state.
  • Aiding/abetting or criminal facilitation considerations—Whether the actions of the ransomware victim constitute “aiding and abetting” or otherwise encouragement of ransomware in the future.
  • “Material support” evaluation—Whether the entity paid uses the funds to support specific unlawful activities and, if so, whether the payor can be said to have provided “material support” to that unlawful activity.
  • Other reporting requirements—Whether a ransomware/extortionware incident also involves a breach of data that would be reportable under other laws or regulations.
  • Ransomware as an “incident”—Ransomware also typically involved unauthorized access to a system, network or data, elevation of privileges, and access to critical systems or networks. As such, ransomware or extortionate would also constitute a cybersecurity incident under other DFS regulations.

A comprehensive ransomware incident response plan will help entities in their 24-hour reporting requirement, but it also will help them “justify” their actions to DFS whether they paid or refused to pay a ransom. It is clear that the requirement that covered entities provide DFS a written description of their reasons for making a ransomware or extortionware payment is designed to discourage such entities from making these payments, under the theory that if nobody paid the ransom, the threat actors would stop executing ransomware. In short, they do it because it works. While this may be true in the aggregate, the decision of whether or not to pay the ransom by companies is a complicated one that involves costs of paying (including reputational costs), costs of restoration or rebuilding, lost time and accessibility and a host of other factors. By requiring entities to justify the payment of ransom, it is likely that DFS will also look at factors like the robustness and effectiveness of the company’s data backup and restoration program, its data resilience program and its disaster recovery/business continuity plans. Indeed, the new regulations require covered entities to demonstrate that their business continuity and disaster recovery plan t is reasonably designed to ensure the availability and functionality of the covered entity’s services and protect the covered entity’s personnel, assets and nonpublic information in the event of an emergency or disruption to its normal business activities including offsite “hot sites” or “warm sites” for timely data and service restoration.

Even where the payment of ransom saves a company money and disruption, DFS may not accept their justification because the entity failed to have a restoration/resilience plan to deal with ransomware. As a result, we can expect DFS to second-guess ransomware payment decisions. Indeed, even a single failure to adequately report a ransomware incident within 24 hours empowers DFS to enforce the new rules.

Federal Reporting Requirements

In September of 2022, the Cybersecurity and Infrastructure Security Agency (CISA) also published new proposed data security reporting requirements, which similarly would require entities to report not only cybersecurity incidents but also ransomware payments. The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), codified at 6 U.S. Code § 681, requires entities in the “critical infrastructure sector” to report covered cybersecurity incidents to the CISA director. The reporting requirement not only requires reporting of cybersecurity incidents and threats, but also includes reporting of “ransomware attacks” and “ransom payments.” 6 U.S. Code § 681b requires covered entities to report cybersecurity incidents within 72 hours after the incident has occurred and also notes that “a covered entity that makes a ransom payment as the result of a ransomware attack against the covered entity shall report the payment to the agency not later than 24 hours after the ransom payment has been made.” Of course, this requires the covered entity to report the payment within 24 hours of an incident that is not itself reportable until 72 hours, and the statute allows a single reporting within the 72 hour timeline of both the incident and the payment.

Taken together, the DFS and CISA regulations impose new burdens on those who become the victims of ransomware not only to prevent and report the ransomware but to justify any decision to pay a ransom. Thus, companies likely to be covered by these regulations should include in advance the criteria by which they will decide whether or not to pay future ransoms in their overall incident response plans and to understand when and how to report these incidents.

Avatar photo

Mark Rasch

Mark Rasch is a lawyer and computer security and privacy expert in Bethesda, Maryland. where he helps develop strategy and messaging for the Information Security team. Rasch’s career spans more than 35 years of corporate and government cybersecurity, computer privacy, regulatory compliance, computer forensics and incident response. He is trained as a lawyer and was the Chief Security Evangelist for Verizon Enterprise Solutions (VES). He is recognized author of numerous security- and privacy-related articles. Prior to joining Verizon, he taught courses in cybersecurity, law, policy and technology at various colleges and Universities including the University of Maryland, George Mason University, Georgetown University, and the American University School of law and was active with the American Bar Association’s Privacy and Cybersecurity Committees and the Computers, Freedom and Privacy Conference. Rasch had worked as cyberlaw editor for SecurityCurrent.com, as Chief Privacy Officer for SAIC, and as Director or Managing Director at various information security consulting companies, including CSC, FTI Consulting, Solutionary, Predictive Systems, and Global Integrity Corp. Earlier in his career, Rasch was with the U.S. Department of Justice where he led the department’s efforts to investigate and prosecute cyber and high-technology crime, starting the computer crime unit within the Criminal Division’s Fraud Section, efforts which eventually led to the creation of the Computer Crime and Intellectual Property Section of the Criminal Division. He was responsible for various high-profile computer crime prosecutions, including Kevin Mitnick, Kevin Poulsen and Robert Tappan Morris. Prior to joining Verizon, Mark was a frequent commentator in the media on issues related to information security, appearing on BBC, CBC, Fox News, CNN, NBC News, ABC News, the New York Times, the Wall Street Journal and many other outlets.

mark has 203 posts and counting.See all posts by mark