Ransomware, Data Breaches and the Tension Between Disclosure and Damage Control

Industry_Podcast_cover-update-final-bottom-300x169Brian Finch recently returned to Joel Simon‘s Industry Insights podcast to discuss the uptick in cyberattacks, data breaches perpetuating insider trading and strategies companies can employ to guard against these problems.

Joel Simon: It’s hard to believe it’s been more than 10 months since you joined us for a discussion of social engineering, fund diversion scams and a then recent escalation of state-sponsored cyberattacks. A lot has changed since then, but not surprisingly cyberattacks have increased and some of their aftereffects have had far-ranging implications. What are you seeing as the biggest threats today?

Finch: We are still seeing a variety of threats that are impacting companies in the United States and beyond. We are definitely seeing a spike, for instance, in ransomware attacks that also have a data breach component to them. Normally, when you have a ransomware attack, what happens is that a company’s data is encrypted and you have to payoff—hence the term ransomware—the perpetrator of the hack to get your information unencrypted and return your data systems to normal. What’s been recently happening is that it’s just not the encryption; there has also been an exfiltration of data, so it’s a dual threat in that case. Not only is your data encrypted, but it’s being stolen as well, and the hackers are demanding a ransom not only to unlock your system, but also to prevent them from releasing the private information, the personally identifiable information, health care information, sensitive financial information, etc. to a wider audience. So, it’s sort of a two-fer attack. You get the ransom, and you get data breach as well.

Simon: That must present companies with serious challenges?

Finch: That has been pretty challenging, and it’s increasing the pressure on companies to respond and potentially pay off the ransom in that particular case, because not only do you now have to worry, “Can I keep my business going?” but even if you can unlock it pretty easily, or with the help of law enforcement or incident response companies, you still have to worry about this potential for a data breach. And, of course, the data breach is more harmful because that can trigger all sorts of notification requirements and potential penalties under state and other laws. It’s definitely a dangerous trend, and one that I don’t think is going to be decreasing any time soon. It’s the sad reality, unfortunately, that it’s generating a lot of money. And where there is money, you are going to find criminals. The combination of the two have led to a lot of increases in cyberattacks over the last 12 months.

Simon: As always, Brian, it sounds like there is lots to keep you and your team busy. One offshoot of this that caught my attention is the use of knowledge of a data breach to perpetrate insider trading. This is different than the use of the stolen information itself. What can you tell us about that?

Finch: That’s another really interesting, and I would say in some ways, disappointing trend. We are starting to hints that, when there is knowledge inside a company before public disclosure, you might see some trading going on to take advantage of the situation. The company’s stock might take a hit, it might face penalties, etc. and so, employees—whether at the executive level or others in the company who might just be opportunistic and less than fully motivated in a moral sense in the company and the public’s welfare—might try to take advantage of that by conducting some sort of insider trading and shorting, or whatever the case may be. Fortunately, Joel, I’m not overly familiar with how to conduct a financial crime, so I’m not going to go into all of the ways that people can do it, but the point here is that we’re definitely seeing some hints and worries that people are using the knowledge of the data breach—and the gap in time between the discovery and announcement of the breach—for their own personal financial gain. That’s definitely troublesome and another item that’s going to have to go on the checklist for incident response and crisis management: make sure not only that you are responding effectively, but that no one inside the company is trying to use the information in a way that would result in self-dealing or insider trading. And, unfortunately, again, as these attacks grow and there is a gap between the time it is discovered and remediated—much less publicly announced—these opportunities are going to arise. It’s certainly something that internal compliance officers and security officials are going to have to want to be on the lookout for.

Simon: That’s a fascinating development, Brian, and one that must be very difficult to prevent. What are some strategies companies can employ to guard against this problem?

Finch: There are going to be a number of tactics you can use to try and prevent that, and what’s very important to remember from the start is that you have to balance the knowledge of the cyberattack and reading in the right people in order to remediate it with the pressure to make sure that you don’t overly share information so that it falls into the hands of someone who shouldn’t necessarily have it and might be able to use it in a way that allows them, again, to conduct something for personal gain, rather than for the benefit of the stockholders, the company, customers, etc. There are a number of tools you can use there. Some are going to be procedural—making sure you know who has access to information about a breach, when they have access to it and trying to make sure that knowledge is limited only to the people who are responsible for responding or in a position to try to remediate it. This might mean not sending a company-wide email about a data breach, but also saying we are not going to announce this, and we ask everyone to keep quiet, etc. You want to make sure that the information is properly disclosed and in a way that helps maintain the security surrounding it, but also falls into compliance with whatever governing laws or regulations apply.

Simon: What other tools are there?

Finch: There is employee-monitoring software, and other tools that are used just generally speaking to be on the watch list for any of these types of insider actions. Those tools are numerous, but what’s really important here is their deployment and when they are going to be used. It shouldn’t just necessarily be for everyday incidents, or everyday incidents of insider trading, or the like. They should be something that’s in the toolbox when there is an actual data breach or some other type of cyber incident, for use at that point to monitor for any unusual spikes in trade, whether from internal or external sources, in order to make sure that no one is trying to take advantage of the situation by manipulating an individual security or manipulating the market at large.

In that sense, it just falls into a larger bucket as you watch for unusual trading, whether inside or outside the company, using those behavioral analysis tools or insider monitoring type tools. You want to make sure that they are tied to when a data breach of cyber incident has occurred, because that’s another threat scenario that has popped up and one that companies need to keep their eye on in order to keep themselves out of even more trouble.

Simon: It sounds like an everchanging landscape for the crisis management folks at companies. And, although cybersecurity is always changing, one thing hasn’t—the vigilance that companies and individuals need to maintain to keep the wolves at bay. Thanks for this insightful update, Brian. It’s been great having you back with us again.

Finch: Always a pleasure Joel.

Catch all of our podcast episodes on Spotify, Apple Podcasts, and Amazon Music, as well as on our website. And until next time, thank you for listening to Pillsbury’s Industry Insights podcast.