COR Issues Supplemental Memo on Ransom Attacks on Large U.S. Companies
On November 16, 2021, the Committee on Oversight and Reform (COR) issued its Supplemental Memo on Committee’s Investigation into Ransomware detailing recent high-profile ransomware attacks on large companies—Colonial Pipeline Company (Colonial), JBS Foods USA (JBS), and CNA Financial Corporation (CNA)—addressed in our previous blog post, CNA Cyber-Attack Cautions Businesses to Examine Their Insurance Policies.
In conducting their research for its supplemental memo, COR began investigating these large companies in June of 2021, since the companies had all experienced public and impactful cyber-attacks. The objective of the supplemental memo was to provide insight as to why and how these attacks occurred and to identify future legislative and policy responses that may be developed to combat future threats of similar attacks.
The memo provided three major observations regarding large-scale cyber-attacks that businesses should be apprised of to prevent similar attacks in their organization. The memo states:
Small lapses led to major breaches. Ransomware attackers took advantage of relatively minor security lapses, such as a single user account controlled by a weak password, to launch enormous costly attacks. Even large organizations with seemingly robust security systems fell victim to simple initial attacks, highlighting the need to increase security education and take other security measures to prevent such attacks.
Some companies lacked clear initial points of contact with the federal government. Depending on their industry, companies were confronted with a patchwork of federal agencies to engage regarding the attacks they faced. For example, two companies’ initial requests for assistance were forwarded to different FBI offices and personnel before reaching the correct team. Companies also received different responses on which agencies could answer questions as to whether the attackers were sanctioned entities. These examples highlight the importance of clearly established federal points of contact.
Companies faced pressure to quickly pay the ransom. Given the uncertainty over how quickly systems could be restored using backups and whether any sensitive data was stolen, the companies appeared to have strong incentives to quickly pay the ransom. This pressure was compounded by attackers’ assurances that payment of the ransom would resolve the situation and avoid negative publicity for the company. For instance, after the initial hack of JBS, Revil told the company, “We can unblock your data and keep everything secret. All we need is a ransom.” Further examination is needed of the factors encouraging ransom payments, including the role of cyber insurance and the costs companies can face even after paying a ransom, especially when the cybercriminals fail to deliver on their promises.
Additionally, the supplemental memo states that there is a “need for clearly established federal points of contact in response to ransomware attacks” considering the inherent pressures that many businesses feel when faced with an attack to issue payment despite the FBI issued guidance to refuse to do so.
To watch the hearing held by the House following the memo's release click HERE.
For questions or concerns as to how this memo impacts your business, contact Kennedy Sutherland.