We invited Susan Lindberg on our #SimplifyForSuccess podcast series, hosted by Priya Keshav to discuss IG programs.

Susan is a shareholder at Gable Gotwals with more than 25 years of experience as an attorney in the energy sector, both at the law firm and as a general counsel.

She spoke about the growing ransomware threats and the practices that will help you be prepared for such an attack.

Referenced Resources: NIST Ransomware Protection and Response and the CISA Ransomware Guide

Listen to it here:

*Views and opinions expressed by guests do not necessarily reflect the view of Meru Data.*

Transcript

Priya Keshav:

Hello everyone, welcome to our podcast around simplifying for success. Simplification requires discipline and clarity of thought. This is not often easy in today's rapid pace work environment.

We've invited a few colleagues in data and information governance space to share their strategies and approaches for simplification.

Today, we'll be talking with Susanne Lindberg. Susanne Lindbergh is a shareholder in Tulsa office of GableGotwals. She has more than 25 years of experience as an attorney in energy sector both at the law firm and as a general council at public companies. Prior to joining the firm, Susan was an executive vice president and general counsel of Consent Group Corporation. She was also general counsel and corporate secretary of Eni US Operating company and part of the US executive team for Italy's ENI SPA.

Before joining ENI, Susan held key legal and government affairs role in interstate natural gas pipeline business at Duke Energy and Indrawn Corp.

Welcome to the show Susan. Would you like to add a little bit about what you are doing currently and your role at the firm.

Susan Lindberg:

Yes, thank you.

First of all, thank you for having me, Priya. It's been so wonderful to catch up with you and to hear about the wonderful work you're doing at your company. I, at GableGotwals, have been as we discussed working not only in corporate transactions and governance matters but specifically in cybersecurity. So, advising clients in the legal aspects of cyber security and incident preparedness.

Priya Keshav:

Before we got started with the show, we wanted to talk about a few disclaimers.

Susan Lindberg:

Just a quick disclaimer. The opinions I express here on my own and do not reflect the opinions of my firm GableGotwals or any of its clients and while I do want to share some insights that I hope will be useful, my remarks are not intended to be legal advice or to be a substitute for the listener seeking advice of counsel for specific legal questions.

Priya Keshav:

So, ransomware attacks have spiked more than tenfold in just the first half of 2021, and Biden yesterday held a summit at the White House to step up cyber security and one of the things that he kind of asked off Microsoft, Google and other CEOs in the technology space is to sort of help invest in this space, it's a national security issue and we also saw the news just yesterday saying that Microsoft would pledge to invest billions on cyber security and similarly the same thing with Google and others.

Why is this topic more important now than ever?

Susan Lindberg:

Well, we've certainly, as you mentioned, seen an uptick in incidents and also the size of a ransom that are being demanded, so it's been cause for alarm. I think there are probably 3 reasons that we should discuss about why this topic is important right now more than ever.

One is concern about critical infrastructure. The second is increased vulnerabilities over maybe the past 18 months to years and the rise of ransomware as a service, which is a term you hear more and more, used more and more often.

So first of all just as a background, ransomware can be used in a couple of ways, right? So first it is a way to encrypt a company's data, so it can't be used and also to steal data and demand a ransom not to publish it, and we're seeing both kinds of uses of ransomware, but you know all you have to do is pick up the paper and you'll see an example of a breach affecting customers that compromises their personal data. That's become all too common. The Colonial Pipeline incident though earlier this year presented a different scenario. It affected customers too because it caused a shortage of fuel all along the East Coast. But it was also an attack affecting a key part of the US critical infrastructure, so it's also a matter of national security.

As you mentioned, ransomware attacks have increased. OFAC, the Office of Foreign Assets Control, estimated that between 2020 and 2021 the incidents of ransomware attacks increased at least threefold. This is just an estimate because not all ransomware attacks are reported. But according to the US government, vulnerability to attacks during this time generally was exacerbated by the vast increase in the number of employees working from home.

This shift, which occurred fairly quickly, caused supply chain changes, increased use of applications, and staffing shortages. Companies had to react quickly to the pandemic, and it was just hard for security teams to keep pace. The amounts of ransom reportedly being demanded, as I mentioned, and paid is increasing as well. And then finally I mentioned ransomware as a service. It has become a profitable and well-organized business. Ransomware is very easy to get and deploy. Ransomware as a service companies generate tools, take a cut of the ransom, and provide support to their users.

Basically, just as with legitimate software development, scalable cloud infrastructure is making ransomware development and deployment easier for criminals.

Priya Keshav:

So, coming back to, you know, the energy sector and obviously one of the biggest attacks that happened this year. The Colonial Pipeline attack brought to light. I mean, we've always talked about how energy infrastructure is critical and obviously cyber security has been a major part of most energy companies' strategy to protect the infrastructure, right? But do you have any comments on how colonial handled the ransomware attack? Could they have done anything different? Any thoughts that you have around the attack itself as well as a response?

Susan Lindberg:

Well, certainly a lot has been written about the attack, but the public will probably never have all the details. The Department of Homeland Security considers a lot of this type of information is sensitive security information to protect national security, but the Colonial CEO did testify publicly before Congress in June, so we were able to learn a little bit more. He did comment that Colonial had strong security measures in place, but that it wasn't enough and then he also stated that the ransomware attacker accessed Colonial system via a legacy profile for a VPN.

Now, having worked in the pipeline business myself, I believe that Colonial probably did have strong security policies. It's something the entire industry is seriously focused on for many years because there's such a strong connection to public safety and energy security. But the bottom line is, these attackers are very patient. They will surveil accompany until they find that one, sometimes very simple, weakness to gain access. In the case of Colonial, its just a legacy profile that had been left open and the attacker was able to learn the login credentials. So, you know, it's only as strong as your weakest link, I think is the lesson here.

Priya Keshav:

So, as an ex-GC and a chief risk officer of a company, what comes to your mind when you think about ransomware? How do you even prepare? Like you said it, you're only as strong as your weakest link, so all you have to do is have one vulnerability and that's all they need to exploit to be able to kind of penetrate and take advantage of the situation, right?

So, would this just be the role of security? Should GC be involved? If so, why? How can general counsels play an active role in both informing as well as protecting their companies from ransomware? It has pretty much become a “when” as opposed to an “if” because ransomware has become so prevalent, almost all of us should assume that it's a risk that is likely to happen to any company.

So, what are your thoughts as an ex-GC to any GCs out there listening to this?

Susan Lindberg:

Well, ransomware attacks, even though you would hope there would be infrequent occurrences as they're occurring more and more frequently. And they have to be treated as a serious incident at your company and elevated to the highest levels of the organization. It's a tremendous area of risk and needs to be treated similarly to any other significant crisis. So, not only should the general counsel and trusted external counsel be among the first responders. If you have a ransomware attack, they should actually lead the response to a ransomware attack and you're planning or preparation for, you know, your incident response plan, you should take this into account.

Like any unwelcome incident, a ransom attack has a potential to cause further damage by creating legal liability, so legal counsel needs constantly to be in the chain of communication following the attack, and in fact, Council needs to be the one to initiate and direct all internal and especially external communications.

So, Council will ensure the incident response plan, including channels of communication are appropriately deployed and another role that legal has is to ensure that communications work, product are properly protected, kept confidential, and including, you know, protection under attorney-client privilege, if that's appropriate.

I probably can't emphasise to listeners enough that this has to be done right from minute one, just day one, the GC would be the one to engage consultants for investigation and restoration of systems. They would engage the ransomware payment facilitator, external relations consultants, external counsel, inappropriate areas of specialization and the general counsel in any crisis is in the interface with the Board of Directors and finally, would manage communications with government and law enforcement.

This doesn't mean other functions aren't involved, it's just that it's important to cast the legal function of the general counsel as the lead here for those reasons.

Priya Keshav:

So, you mentioned a number of things that the GC has lead once an incident happens, but proactively in order to prepare for it to never happen.

How do you foster a true partnership between legal and security? What are some of the challenges in your mind that you have seen in building this partnership? And how can one achieve, you know, a cohesive working relationship between security and legal?

Susan Lindberg:

Well, digital security is… it's a big job, right? So, on an everyday basis, it does rest squarely on the shoulders of the chief information security officer or your company's equivalent. But that employee who's very important cannot be successful alone. They need the collaboration and support of the entire company, and so the legal department certainly has an important role to play not just if you have a crisis, but on an ongoing basis.

The general counsel should make sure that the Chief Information Security Officer has the support they need on knowing about applicable regulations, and, you know, how to craft good policies and procedures. Usually, the legal function is very good at that as well, and so, you know, just making sure you have that constant dialogue and also, I would say, while general counsels, not all of us have a technical background, most of them will excel at helping companies to establish and communicate the rules of the road throughout the organisation, so they can certainly be of assistance to the information security team there as well. I could go on about creating a culture of cyber security, if you want me to.

Priya Keshav:

Yes, please go ahead.

Susan Lindberg:

So, the general counsel is part of an executive team and the whole executive team is usually involved in shaping a culture and that includes one in which the cyber security rules are followed. I would say, you know, if you don't have the support of the executive team and the CEO then you may not have a very successful cultural support for cyber security, I mean at the end of the day, a lot of things that companies put in place involve the behavior of individual employees and then complying with the regulations or the internal policies on a consistent basis.

I mean, if you think about it, even with your own personal data security, you're having to do a lot of extra things in order to ensure that security, it's maybe an extra step or asking people to do. Maybe you're asking people, to before they install new software, they need to clear it with the IT department. Or say, an employee is traveling and there are going to be company policies in place to use features and that ensure endpoint security rather than just using public Wi-Fi, for example.

So, I mean making people do what they feel like is extra work can be really tricky and you have to have the needs to start being hardwired into the company in order to really be successful and I think that the General Counsel, Chief Information Security Officer, you know, anyone else that isn't a compliance function, you know, outside of cyber security, just creating that culture of this is how we do things, this comes automatically to us, can be really helpful in ensuring the companies Information security and other kinds of security as well.

Priya Keshav:

Yeah, I agree, and I think you know, even if you look at past incidents, right? Like some of the major ones like Equifax, if you look at SolarWinds, end of the day, any kind of incident becomes a huge legal liability. In fact, you know there is argument to see whether security should report to Legal because as a chief risk officer, you probably have a much better understanding of the risk around security and the liability that it can kind of bring to the company, so being part of the executive team, you're more likely to kind of sponsor and support and elevate this as a cost than the rest of the executive team then, let's say a CIO because you know and there is also a conflict with the CCOs reporting to the CIO because the CIO is looking more at implementation, and this is more you know. So, you need to have as an auditor one of the things that you always talk about cheques and balances, and so when you want to have a critical look at the infrastructure and identify gaps.

Having the CCOs reporting to the Chief Risk Officer gives that sufficient level of independence that is required and as you mentioned, it's something that most chief risk officers understand as an important aspect and, a critical risk that needs to be addressed, but there needs to be bridging of gap in terms of you know, being able to understand the technology and work, you know, well with the security team to understand and some of this is also, you know, whatever you do, there's still some exposure from a security standpoint that you have to accept because the nature of the beast is it’s just completely impossible to eliminate all risk, but at least taking a risk-based approach makes a lot of sense from a management and a building a culture standpoint.

Susan Lindberg:

That's all very true and thank you for raising those points because you know, there's usually a lot of discussion about where these functions will sit in an organization, and there's sort of a tension between having sufficient resources in an area to ensure that risk is adequately managed and in achieving efficiency right? So, sometimes companies want people to wear a couple of different hats, and you know it has to be carefully decided.

One thing that this relates to as well is, of course, as you and I know, cyber security has moved front and center as a governance issue for executive teams and for boards of directors as well. And so, you know, you may have your Chief Information Security Officer presenting to the board or having a very depending on how your board committees are structured. You may have that person or facing with the board quite often as part of the whole discussion about risk management at a board level. I think that's becoming much more common.

Priya Keshav:

Makes sense. So, what are they part of a ransomware contingency plan? When should payment be considered? You know, going back to, does legal risk need to be considered in paying a ransom? And can the victims rely on insurance to protect them?

Susan Lindberg:

Those are all terrific questions and very much at the forefront of a lot of people's minds right now, and I'll try to answer all those as far as a ransomware contingency plan. I've already talked a little bit about incident response, but definitely, have a plan that considers ransom.

Having your system locked down by an attacker is stressful enough and you don't want to be deciding at the last minute when you're in the middle of an attack, whether or not to pay the ransom. I think that this has to be pretty carefully thought through as part of an incident response plan.

As I mentioned before, your written plan should identify your external and internal first responder team. So, your external counsel, security consultant, your local contact at the FBI, any government agencies relevant to your company and then you should definitely know how your insurance policy treats ransom payments. Legal should have a toolkit, ideally as part of the plan. I always recommend that people have a tool kit that includes a list of regulatory notification requirements, contacts within the government, external resources, and then templates for things like notifications, holding statements to the press, forms of agreement for engaging consultants, and other kinds of resources that'll help you move quickly because there would be a lot to do.

The plan should also include, you know, I, I think there's increased interest, maybe not requirements depending on what industry you're in, but I think that companies need to consider. How they will work collaboratively with government if they get a ransomware attack. Everything really is pointing to greater requirements surrounding transparency, or at least incentives to work with the U.S. government in the wake of a breach, particularly if you have attacks on critical infrastructure.

As far as whether to pay, it's this very thorny question. Every company would love to be in a position where they're confident that they have their system backed up sufficiently to restore operations so they can avoid having to pay a ransom and so companies should consider ahead of time whether and how this should be accomplished and how long it would take but it's not that easy.

Companies that go this route should expect if they don't pay ransom, that the attackers may threaten to and may actually publish any information they've been able to exfiltrate, and they may ask for a ransom in order to not do that. So you have to consider the possibility that you could have damaged caused as a result of the attackers releasing confidential information. This is irreversible it could be very severe depending on what kind of industry you're in. Also, unfortunately, attackers may attack your backups, so if you feel you're sufficiently backed up, you have to consider that as well, and let's face it, many organizations haven't expanded the time or resources to back up their systems very well. If they don't pay the ransom for whatever reason, it can take months, millions of dollars to restore systems and data. You know it's really not clear how often companies pay ransom. One source, I read claims it's most companies which would mean to me more than half. In another source, I found says one in four, so you don't really know. Companies don't disclose this information, the companies really just have to decide what's right for them in this case, but I have to emphasise that the US government, including the Department of Homeland Security, Cyber Infrastructure Security Agency or CISA and federal law enforcement do not recommend paying a ransom.

So, a little bit about the legal risks if the company is inclined to pay anyway. You have the US office of Foreign Assets Control (OFAC), which is part of the Department of Treasury, prohibits dealing with certain countries, so Iran, Syria, North Korea, for example. And they also have a specifically designated Nationals SDN list and the list of blocked persons and as they learn of malicious cyber actors, they'll add them to the list. So, for example, Evil Corp, which is a Russian-based criminal group, is added to the list within the past couple of years. But anyway, late last year, OFAC issued an advisory outlining all of this, you can find it on the website.

If OFAC finds that you've paid a ransom to prohibited entity, then they can issue substantial penalties. Of course, our listeners by now are thinking well if you're hit with ransomware, how do you know who you're dealing with? You probably won't. You might, but you probably don't know exactly. And if that's the case, it can be advisable to engage with OFAC early, definitely this is an area where you would want to get some expert advice, or if you're in this situation.

Now OFAC has stated that if you involve them that can help mitigate any eventual penalty. If OFAC issues an enforcement action on the practical side, as CISA has cautioned, paying a ransom won't ensure that your data will be unencrypted, or that your systems or data will no longer be compromised. Recovered data could contain a payload, for example, sort of a ticking time bomb. If you are successful in getting an encryption key as a result of paying a ransom, then you'll still have downtime as you bring your system back up and there's still a cost to that and something to, you know, put into the mix because that can be substantial. And just a final note on insurance which you had asked about, of course, they're getting hit with some large claims resulting from cyberattacks when something to consider is that insurers may push back, they might construe, or you can expect them to construe your policy language very narrowly. So even if you haven't looked in your policy for a while and think a ransom payment or other costs should be covered, check again, because that particular language can become very important in seeking reimbursement.

There is a case that's pending right now called Mondelez versus Zurich. It doesn't concern a ransomware attack, but it's still an important example of the potential pitfalls of relying on your insurance policy. So, you might recall that 2017, NotPetya malware attack, which has been attributed to the Russian government, it caused widespread damage and lead to about 3 billion in insurance claims. Interestingly, most of that was made under property and casualty policies that didn't specifically address cyber risks. So, for damages through NotPetya, Mondelez made a claim for its property insurance policy and its insurer Zurich denied coverage citing Their language in the policy about exclusion of act of war or war-like actions.

So, the outcome of this case will be important, but in any event, it's advisable to consider cyber insurance. You know specific cyber insurance policy, if that's a place where you see significant risk for your company. So, at least the policy language would be tailored to cyber-attacks and might provide a bit more certainty on what is and is not covered.

Priya Keshav:

No, I agree, and I think insurers are also thinking about it, right? If they see a tenfold increase in ransomware and you know they used to think that it is much easier to just, you know, pay the ransom and then they realized that also becomes a complicated scenario, so most of them are probably thinking in terms of how to protect themselves against massive losses as well, as what to look for, so you see more and more questions around policies, procedures, audit, certifications.

So they would like to make sure that they are only insuring those companies who are taking this risk seriously, and so, you know, it's a two-way street, right? So, while you can rely on insurance, and even if you buy a cyber security policy as a number of attacks increase, the premiums are gonna go up, the coverage is going to reduce as well as, there's going to be other requirements around who will be insured and when the payouts will happen, so they'll expect some level of due diligence on the part of the companyies before they cover the cost.

Susan Lindberg:

That's right, and insurance companies have been pretty proactive here. If you get an cyber insurance policy and you don't already have legal counsel, some insurance companies will appoint Breach Council to meet with you as soon as the policy is signed or soon after.

Priya Keshav:

So, how is the recent success of FBI in recouping the Colonial pipeline ransom affected future attacks as well? Could you talk a little bit about the new executive order that was signed by President Biden impacting companies, ransomware preparedness, and policies around ransomware?

Susan Lindberg:

Sure, on the FBI they have gained a track record of dismantling criminal crypto networks and seizing funds, and this is in part because public blockchains make cryptocurrency which they use extensively traceable. The FBI seizure of part of the colonial ransom, which I believe was the equivalent of about 2.3 million at the time is really the first time an amount anywhere near this large has been reported to have been recovered. It's really raised all kinds of interesting questions, such as if you pay the ransom, does it make it? Actually, easier for the FBI to track the criminals. I wasn't able to find any commentary there, but in any case, the government’s still expressing a preference that victims not pay ransom.

So can the FBI get so good at recovering ransom payments that this ends up acting as a deterrent to criminals? That's not clear. What is clear though that assuming criminals who deploy ransomware are doing it for financial gain, the surest way to deter them would be to prevent them from getting and keeping ransom payments. In my opinion, no one come up with a foolproof strategy for doing that. There have been some proposals to ban ransom payments or ban crypto currency like Bitcoin, which is usually what attackers demand but these types of blanket measures have significant downsides. If you implemented a blanket ban on ransom payments, for example, you could potentially cause companies, at least in the near term, to go out of business who have not backed up their systems or who are unprepared to restore their systems and data. And banning cryptocurrency outright can't have the effect of unfairly penalizing legitimate users of cryptocurrency, and at the same time send cybercriminals further underground.

I thought it was interesting that earlier this month the SEC Chair Gary Gensler hinted at cryptocurrency regulation, and there is already some in place, but he talked a little bit about more cryptocurrency regulation, but then he didn't really provide any details. I think it's going to be an interesting space to watch. I think we can expect continued discussion about possible mechanisms that have the effect of restricting criminal use of cryptocurrency.

As far as the executive order… Back in May, President Biden issued an executive order, it's called executive order on improving the nation’s cyber security and he is not the first president to issue a cyber security executive order by the way, there have been several and all of them emphasize the need for government to partner with private sector to address security.

The executive order from May 12th really focuses mostly though on improving security within federal government systems, including improved information gathering requirements for government contractors, improving supply chain security, implementing zero-trust architecture. I thought it was interesting that the executive order mandates the creation of a Cyber–Safety Review board within the Department of Homeland Security. The mandate for that new board isn't really detailed. I think some people were hoping it will be like the NTSB and work meaningfully with industry to respond and incidents but that's something to watch for. I think, more significantly, the most significant reaction to the Colonial attack has been the issuance by the Transportation Security Administration which is responsible for cyber security in the pipeline sector. They issued two security directives pretty recently, so while the TSA has made security recommendations and provided resources to pipelines for years, this is the first time it's imposed actual requirements.

So, these security directives contain requirements for notifying SISA of cyber incidents on critical pipeline infrastructure, and they require owners and operators of pipelines to review their cyber security programs in a specific way and that first directive contains some very short time frames for compliance. Interestingly, despite all the emphasis on collaboration with private industry, the TSA directives were issued without any collaboration at all with industry they were issued under the authority to issue emergency regulations, so there wasn't any notice and comment rulemaking.

What I find usually happens in this situation is that industry comments anyway, there's a dialogue with the regulators that is productive and the regulations are fine-tuned in order to be workable and most effective. And then I should mention also and this may be something that our listeners want to search for and read because I think it's very useful. NIST, the National Institute for Standards and Technology, issued back in June a draft cybersecurity framework profile for ransomware risk management. And if you're familiar with and probably most of our listeners are familiar with the NIST cyber security framework. What this new document does is map NIST’s existing categories and standards specifically to ransomware. So it's designed to be a practical document, do some of the work for you in that regard, since a lot of companies rely on the NIST cybersecurity framework.

I think it can be a good way to help companies simplify the internal discussion about defending against and responding to ransomware attacks, so it can be a good place to start. If you don't know where to start, it will guide you through the different themes of identification of risk, protection, detection, response and recovery and along those same lines CISA the Cyber Security and Infrastructure Security Administration also has a specific ransomware guide that they developed with the MS-ISAC, the multi-state information sharing and analysis center.

Priya Keshav:

Great points here and I think a lot of information for our audience. As you mentioned, President Biden wasn't the first person to issue an executive order and cyber security has been an issue for a long time now. You know, as we make progress on the security side, the attackers are also getting more and more sophisticated.

Some of the attacks this year has been significantly different, but any other closing thoughts?

Susan Lindberg:

Well, just to wrap up the main points here, the main takeaways are to definitely have a plan for responding to a ransomware attack. As you mentioned, Priya, it's not “if”, it's “when”. In that plan and in the response, legal has a front and center role. This is something to definitely discuss with your external counsel.

And finally, check out these good resources if you haven't already, published by NIST and CISA if you need a starting point for your internal discussion at your company.

Priya Keshav:

Thank you so much Susan. Great information here.

Appreciate you joining us on this podcast.

Susan Lindberg:

Thanks so much, Priya.