Don’t be Held at Ransom by Ransomware
Ransomware is a viral issue. Recent news reports of ransomware attacks have generated infectious fears of this cryptic threat.1See e.g. https://www.straitstimes.com/tech/tech-news/ransomware-attacks-threaten-nations-137-spore-firms-fell-prey-in-2021-csa;
This article hopes to build herd immunity in legal practitioners by inoculating them in three areas relating to ransomware: prevention, response, and the limitations of cybersecurity insurance policies.
Prevention is Mandatory
In the context of ransomware, prevention is not just better than cure, it is mandated by law. Section 24 of the Personal Data Protection Act (PDPA) requires organisations to make reasonable security arrangements to protect personal data in their possession or control. This necessitates defending against ransomware, as criminals often threaten to leak or sell compromised personal data online, on top of encrypting the victim’s database.2See e.g. Toll Logistics (Asia) Limited and others (2022) SGPDPC 4; J & R Bossini Fashion Pte Ltd (2021) SGPDPC 9.
The Cyber Security Agency of Singapore (CSA) has published an advisory on how to prevent ransomware attacks.3https://www.csa.gov.sg/en/singcert/Advisories/ad-2021-009 In brief:
- Secure your systems: Keep the firm’s antivirus software updated and ensure staff practise cyber hygiene.
- Protect personal data: Encrypt important data and keep an updated offline backup.
- Plan your incident response and business continuity: Conduct drills to test the effectiveness of planned measures and the staff’s familiarity with them.
What to Do in the Event of a Ransomware Attack
The CSA has published a guide to assist organisations with developing an incident response plan.4https://www.csa.gov.sg/gosafeonline/resources/incident-response-checklist The broad strokes are:
- Isolating the affected systems;
- Wiping out the malware;
- Restoring affected systems using backups or decryption tools (free decryption tools are available from No More Ransom,5https://www.nomoreransom.org/ an international public-private collaboration); and
- Monitoring the network for further anomalous activity.
We do Not Negotiate with Cyberterrorists
The million-dollar question is “Should I just pay the ransom?”. While the law does not prohibit the payment of ransoms, the government has consistently urged victims not to do so.6Singapore Parliamentary Debates, Official Report (7 November 2016) vol 94 at col 13
(K Shanmugam, Minister for Home Affairs).
Paying the ransom does not guarantee recovery of the affected data (since there is no honour among thieves), and may even encourage future attacks on the same organisation.7Singapore Parliamentary Debates, Official Report (4 October 2021) vol 95 at col 64
(Josephine Teo, Minister for Communications and Information).
Indeed it has even been suggested that paying ransoms may incur criminal liability for “assisting in criminal conduct (and/or obtaining the benefits thereof), or facilitation of terrorism-related activities”.8https://lawgazette.com.sg/practice/practice-matters/when-is-it-time-to-pay-the-piper/
That said, the ransomware victim has to make its own judgment call. Based on a recent survey conducted by a cybersecurity firm, 28 per cent of ransomware victims cited “life-and-death” reasons for making payment.9https://www.businesstimes.com.sg/technology/singapore-companies-pay-average-s15m-after-ransomware-attack-report In the legal practitioner’s context, certain court deadlines and delicate corporate timelines may be unsympathetic to the plight of a ransomware law firm victim. More often than not, ransomware attacks give unprepared victims no time to source for a suitable backup or decryption tool (experts estimate that this may take from five to 21 days).10https://www.businesstimes.com.sg/hub/boardroom-matters/ransomware-to-pay-or-not-to-pay In the circumstances, law firm victims of ransomware may feel compelled to pay the ransom in the hope of recovering their data, despite the associated risks outlined above.
The affected firm would also need to consider making three types of reports:
- A police report11https://eservices.police.gov.sg/content/policehubhome/homepage/police-report.html given that the ransomware attack is a cybercrime12Supra note 6.;
- A CSA report13https://www.csa.gov.sg/singcert/reporting to get in touch with the Singapore Computer Emergency Response Team (the “frontline unit” of the CSA); and
- A PDPC (Personal Data Protection Commission) report14https://www.pdpc.gov.sg/Report-Data-Breach. if the ransomware attack constitutes a notifiable breach.
A police report and a CSA report should be made in all ransomware cases, whereas the necessity of a PDPC report depends on the nature of the data breach. In this regard, the PDPC report webpage provides a self-assessment tool for this purpose, and clicking through its permutations is a quick way to be familiarised with the reporting obligations. Alternatively, one may peruse sections 26B, 26C and 26D of the Personal Data Protection Act15https://sso.agc.gov.sg/Act/PDPA2012 (PDPA) and regulations 3 and 4 of the Personal Data Protection (Notification of Data Breaches) Regulations 202116https://sso.agc.gov.sg/SL/PDPA2012-S64-2021?DocDate=20210930 to discern the reporting obligations. Most law firms would likely be bound by the PDPA reporting obligations given the sheer volume and sensitivity of client information stored in their databases.
Once notified, the PDPC is empowered to investigate the cause(s) of the ransomware attack.17Section 50(1) of the PDPA. If the PDPC finds that the firm had failed to make reasonable security arrangements before the incident,18Section 24 of the PDPA. the firm may be liable for financial penalties of up to $1,000,000 and/or directed to implement measures to restore compliance with the PDPA.19Sections 48I and 48J of the PDPA.
In determining the quantum of the financial penalty, the PDPC will consider the factors set out in section 48J(6) of the PDPA. In particular, the timeliness and effectiveness of measures taken to mitigate the data breach would be assessed. Although non-payment of the ransom is in line with the government’s recommendation, such non-payment is not treated as a mitigating factor by the PDPC20Genki Sushi Singapore Pte. Ltd. (2019) SGPDPC 26 at (25(b)); Re Chizzle Pte Ltd (2020) SGPDPCR at (10) since this factor is post incident and irrelevant to the security lapses that resulted in the ransomware attack.
Alternatively, the firm may offer a voluntary undertaking to implement remedial measures before the PDPC completes its investigations and decides on a sanction.21Section 48L of the PDPA. Following such an undertaking, the PDPC has the discretion to suspend or discontinue investigations (with the option to revive investigations if the undertaking is breached).22Sections 50(3)(ca) and 50(3A) of the PDPA. However, it should be noted that the PDPC may require such undertakings to be publicised, including on the PDPC’s list of undertakings23https://www.pdpc.gov.sg/undertakings which also tracks each firm’s subsequent compliance (or lack thereof).24Sections 48L(2), 48L(3) and 48L(5) of the PDPA.
Are Cybersecurity Insurance Policies the Answer?
An insurance policy, as with any other contract, does no more or less than what it contains. Law firms would do well to scrutinise the policy provisions to avoid the rude shock of having a claim rejected after a ransomware attack.
Some key considerations to note include:
- Underwriting criteria: Policies are often offered on the condition of the firm declaring that stringent security measures have been implemented. For example, a policy may require the law firm to have implemented a two-factor authentication on all e-mail accounts and access points (i.e. requiring a security token or one-time password on top of the usual log-in credentials), and daily backup of databases. But if such measures have already been implemented, then the firm should assess the realistic probability of still suffering a crippling ransomware attack, and whether the policy adds appreciable value to the firm’s already robust incident response plan. If the loss or damage from an attack is not significant, then there would not be much to claim from the insurance policy. Conversely, if the necessary cybersecurity measures have not been implemented despite the declarations, there is a real risk of the insurer rejecting the firm’s claim after investigating the ransomware attack.
- Coverage: Firms should list the losses and liabilities which they expect to incur from a ransomware attack, and compare that list against the policy’s coverage. Consider the liability limits and exclusions imposed by the policy, and assess how losses incurred across various permutations of events would be handled (e.g. the ransom is paid but the data is unrecoverable and the client sues the firm for losses caused by the firm’s business disruptions).
- Premiums: Having reviewed the underwriting criteria and coverage of the policy, the firm should assess whether its premiums are commercially justifiable. It may well be that the insurance premiums may be better spent reinforcing the firm’s cybersecurity defences.
In summary, purchasing cybersecurity insurance without implementing cybersecurity measures may buy nothing more than a false sense of security. One cannot “contract out” of the need to implement adequate cybersecurity measures and practise cyber hygiene.
So as in many aspects of life, prevention is better than cure.