This is the fourth in a series of four articles by Strauss Troy about cybersecurity preparedness and response. Read Part I, Part II, and Part III.
A cybersecurity event or data breach is a security violation that exposes protected or confidential information to an unauthorized individual or group. As more and more jobs operate in a connected (and sometimes remote) environment, the opportunity for data breaches increases, through both technology vulnerabilities and user behavior.
The true costs of a breach
Cybersecurity breaches cost companies millions of dollars each year. The transition to remote work in 2020 moved many office communications to cloud platforms like Teams, Webex, and Slack. Since many office tasks are now conducted online, companies are more vulnerable to cyber attacks without the controlled security that corporate firewalls can provide. Industrial services such as engineering, construction, and logistics are the now biggest targets, as are smaller companies with 100-1,000 employees. According to a study by IBM, the average total cost of a data breach rose nearly 10%, from $3.86 million in 2020 to $4.24 million in 2021.
The cost of a cybersecurity breach isn’t just limited to ransom payments; breaches cost companies both directly and indirectly. In the last few years, lost business represented the largest share of cybersecurity breach costs and included lost revenue from downtime, lost business from customer turnover, and the cost of acquiring new business because of the company’s declining reputation. Lost business from the these issues can comprise a third or more of the total breach costs. Plus, when considering ransom, companies may have to consider other threats, such as doxxing the website or revealing a breach, which we’ll dive into more in a bit.
What the U.S. Government says about ransom 
Cyber actors may demand ransom payments to recover data accessed or seized during an attack. However, some U.S. laws govern the ability to pay. US citizens are prohibited from conducting direct or indirect transactions with cyber actors sanctioned by the U.S. Treasury Office of Foreign Assets Control (“OFAC”), a cyber actor on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List), or one in a comprehensively embargoed country or region (e.g., Cuba, Crimea, Iran, North Korea, and Syria). In October 2021, OFAC issued updated guidance on the sanctions risk in making or facilitating ransom payments. Another reason to quickly voluntarily report any data breaches: the OFAC will consider a company’s self-initiated, timely, and complete report to law enforcement to be a significant mitigating factor in determining enforcement.
Ransom. To pay or not to pay: that is the question
Extortion has become the name of the game when it comes to cybersecurity breaches. Just a few years ago, 30% of cases had some sort of extortion demand. That number has risen to 70% of cases. However, while demands are going up, the percentage of ransom payments made is decreasing. Why? Companies are no longer sure their data will truly be deleted. While infiltrators will pressure victims for payment by threatening to release stolen data if they refuse to pay, publicly naming and shaming victims can be a secondary form of extortion.
Once you’ve made the payment, how do you know your data will be unlocked? And can you be confident that the cyber criminal will not release your data onto the dark web even if you pay a ransom? Ransom negotiators are now becoming common: they are able to determine whether the attacker has a reputation for keeping his word. The FBI also keeps track of how the attacker responded in other known cases.
The best way to handle a cybersecurity breach and the associated losses is to prevent one from occurring in the first place. However, preparedness is key. If a breach were to occur, does your business have action plan in place to quickly respond? As cybersecurity breaches—and the damage they inflict to businesses—continue to become more commonplace, the attorneys at Strauss Troy can help you prepare for and respond to potential cybersecurity threats.