estimated that $ 1.2 billion was paid in 2021 to ransomware actors . Unfortunately , in over 35 percent of the cases where money was paid , the attackers did not restore the data or refrain from returning in a future attack . The Office of Foreign Assets Control (“ OFAC ”) warned that paying ransom may constitute a violation of economic sanctions laws , be a threat to national security , and encourage future attacks . The U . S . government is further turning its focus to requiring the reporting of ransomware attacks . In March 2022 , President Biden signed into law the
Cyber Incident Reporting for Critical Infrastructure Act . The act requires companies that power the country ’ s critical infrastructure to report “ substantial ” cyber incidents to CISA within seventy-two ( 72 ) hours and to report payments made for ransomware attacks within 24 hours . Incidents can also be voluntarily
reported to the Cybersecurity & Infrastructure Security Agency ( CISA ). This U . S . agency works with partners to defend against cyber threats and collaborates with partners to build a more secure and resilient infrastructure .
In July 2021 , President Biden signed a
National Security Memorandum on Improving Cybersecurity for Critical Infrastructure Control Systems . This memorandum required the Cybersecurity and Infrastructure Security Agency , in coordination with the National Institute of Standards and Technology and the interagency community , to develop baseline
cybersecurity performance goals that are consistent across all critical infrastructure sectors . These goals include recommended actions for account and device security , data security , governance and training , vulnerability management , supply chain / third parties , and response and recovery . The government has also launched
StopRansomware . gov to provide resources to tackle ransomware more effectively .
Port agencies are further highlighting the importance of cybersecurity . In January 2022 , the Port of Los Angeles
debuted its Cyber Resilience Center , a cyber-defense solution created to improve the cybersecurity readiness of the Port by enabling participating stakeholders to automatically share cyber-threat indicators and potential defensive measures with each other .
Shipowners and operators must
prepare , detect , and respond to cyber incidents . According to data from the IBM Security Cost of a Data Breach Report 2022 analysis compiled by the Ponemon Institute , the average cost of a ransomware attack , not including the ransom itself , is $ 4.54 million . Additionally , the report found that the average savings associated with an incident response team and regularly tested incident response plans is $ 2.66 million .
The average cost of a ransomware attack , not including the ransom itself , is $ 4.54 million .
It is important to not only develop cybersecurity plans , but to have counsel throughout the incident response and recovery , including but not limited to assistance in implementing and maintaining requisite data security safeguards such as written information security programs to comply with data security laws , and advising on data breach notifications to affected individuals and the requisite governmental / regulatory authority . Companies can lower cyber risks by conducting annual risk assessments and awareness training , implementing strategic IT investments , analyzing vendor management security commitments , and evaluating insurance coverage . If a cyber incident does occur , the first 24 hours are critical to investigating the breach , including identifying the nature of the breach , the categories of information compromised , how many individuals have been affected , the cause of the compromise , and the likely consequences of the breach and the risks to affected individuals , and to immediately begin remediation . The company ’ s incident response plan should be followed , and relevant stakeholders within and outside the company should be notified ( e . g ., general counsel , company Board , internal communications department , insurance brokers , government regulators , and affected individuals ). Experienced counsel can also assist with notices that are regulatorily and contractually required , and help draft security , privacy , and indemnification clauses in vendor contracts , and in acquisitions to ensure that all parties partner in mitigating cyber security risk . In this realm , advance planning and proper execution of those plans is the key to weathering a cybersecurity storm . p – 2023 BLANK ROME LLP
MAINBRACE • 24