In the aftermath of the WannaCry ransomware attack, all organizations should take the opportunity to examine their cybersecurity protocols with an eye for optimizing practices and mitigating risks. We've outlined action items for all legal and compliance leaders below, along with some additional background on the WannaCry attack itself.
What Was the WannaCry Attack?
Beginning Friday, May 5 and lasting into the weekend, a new form of malware infected computers around the globe. Most experts believe that the malware was loaded directly onto vulnerable computers or through malicious attachments clicked by unsuspecting users who received fake invoices and job offers within phishing emails. The loaded malware included a program called “WannaCry” (also known as WannaCrypt, WanaCrypt0r 2.0, etc.) that encrypted and locked up user files until a ransom of $300 to $600 was paid using Bitcoin.
The most pernicious aspect of the ransomware was its ability to spread like a “worm” across different networks using an exploit called EternalBlue, allegedly developed by the National Security Agency (NSA) and exposed by a hacking group called the Shadow Brokers. In technical terms, EternalBlue took advantage of a vulnerability in the Server Message Block (SMB) protocol, version 1. This protocol is used to facilitate network file transfers across machines with Microsoft Windows operating systems. Microsoft had issued a patch for this vulnerability back in March 2017, and the WannaCry ransomware spread quickly across new and old machines that did not receive this update.
The WannaCry attack caused one of the largest online disruptions in history, infecting over 230,000 computers in over 150 countries, hampering a wide variety of organizations such as the U.K. National Health Service, the Spanish telecom Telefonica, and the FedEx courier service in the U.S.
Could It Happen Again?
Yes. Security experts have identified and killed the current version of WannaCry by taking over a web site connected to the ransomware. The same experts, however, predict that new versions of the ransomware will appear and target machines that remain unpatched against the EternalBlue exploit.
What Should Our Technical Team Be Doing to Prevent This Attack?
Your technical team is probably all over this, but legal and compliance leaders are paid to worry about risk. Therefore, you should confirm that the organization’s technical experts have blocked the WannaCry ransomware and EternalBlue exploit by patching any Microsoft Windows servers, laptops or desktop computers using the security update called MS17-010. You should also confirm that the technical team has identified machines running older versions of Microsoft Windows, such as Windows XP or Windows Server 2003. These machines are no longer supported by Microsoft and should be upgraded, replaced or at least patched with the one-time security update just issued by Microsoft. (Note: you can earn some respect and trust by supporting IT’s budget request to replace these old machines.) In addition, legal and compliance leaders should confirm that the organization is not running any unauthorized or pirated versions of Windows on the network. Such software violates copyright laws and your licensing agreements and often cannot be patched effectively, so it leaves the organization open to future attacks.
Finally, because ransomware fails if you can quickly restore vital data, legal and compliance leaders should talk to IT managers about their organization’s backup procedures. Critical data should be backed up every day and segregated from the rest of the network. Other important data should be backed up on a weekly basis. In addition, legal and compliance leaders should confirm that backups can be quickly and fully restored in case of cyber-attacks or natural disasters like fires or floods. It is often helpful to conduct a live disaster recovery (DR) or incident response (IR) drill to confirm how long it actually takes to restore backups and become fully operational.
Do We Need to Notify Customers if Our Organization Was Hit by WannaCry?
Of course, legal notification requirements depend on your jurisdiction and situation. Most foreign jurisdictions have less stringent notification requirements than the U.S., but the law is changing and can vary widely from country to country. Within the U.S., notification requirements may depend on the severity of the breach and an organization’s state of incorporation or business, contract terms, industry sector and status as a public company.
Under many U.S. state laws, ransomware may not trigger notification unless it involves the unauthorized “access” or “acquisition” of personally identifiable information. Many private contracts, however, may require notification of a business partner within hours of a “suspected breach.” Within the U.S. health care sector, the Department of Health and Human Services (HHS) has specifically stated, “The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule.” Therefore, according to HHS, the presence of ransomware often requires a health care organization to implement its incident response procedures, and may require it to notify customers if “there is high risk of unavailability of [protected health information], or high risk to the integrity of the data.” Finally, the SEC may require a U.S. public company to disclose a ransomware attack in security filings if the cybersecurity risk and attack are deemed to be “material” to the company.
In short, each company’s situation is different, and the organization should consult with counsel and compliance managers following any large ransomware infection. Notification requirements will likely turn on the type of machines or files that were infected, the location of that data, the applicable law and regulations, and the risk of harm to individuals or the company itself.
If Our Organization Was Infected, Will Insurance Cover Our Damages?
Again, it depends on your circumstances and coverage. Many companies believe they are covered for common “errors and omissions” by employees, such as clicking on a phishing email link, but they may be surprised to find that such online activities are excluded. Increasingly, ransomware and other online attacks are covered by separate “cyber” policies or riders. Even then, coverage may depend on whether one or more policies cover the cost of the company’s investigation, repair of network machines, business interruption loss and the actual ransom amount. Insurance carriers often will recommend or require that specific providers assist in any incident response. Companies also should be aware that timing is an important issue for insurance carriers. They may not provide coverage if a recommended patch was not applied promptly to a vulnerable computer, and they usually require notice before any full-scale investigation starts or any ransom is actually paid.
What Can My Organization Do In General to Bolster its Cybersecurity?
Update your program, then practice, practice, practice. Good security is a journey, not a final destination; companies must constantly re-evaluate their risks and appropriate reactions, especially when faced with a new global threat like WannaCry. Every company should elevate cybersecurity, move it outside the narrow purview of the IT department and give the topic board-level recognition. A multi-department team should work with IT to build an effective cybersecurity program based on a widely recognized framework such as NIST CSF, ISO 27001-2, or PCI DSS. The program should require a full periodic assessment against this framework and robust training that constantly reminds employees they are the crucial first line of defense against phishing exploits, which remain the most common point-of-entry in most hacks. The program should also include a disaster recovery plan that emphasizes the importance of regular backups and an incident response plan that addresses a variety of cyber threats, including ransomware. With these plans in hand, legal and compliance leaders should lead their response teams in regular practice drills or exercises, thereby ensuring that everyone is ready to move, not if, but when the next threat like WannaCry appears.