1. Corporate compliance as a new cyberattack strategy
The evolution of cybercrime is not only based on the development of technologies used by cybercriminals. Recent events show that cybercriminals are also incorporating, as an innovative element in their criminal strategies, certain analysis of the legal obligations of companies.
For example, the gang known as ransomed have begun to use, as a complementary threat to the traditional extortion derived from the ransomware attacks they usually carry out, that of the sanctions contemplated by the regulations applicable to those cases in which the breach of the obligations of diligence required from companies during the management of security incidents is proven. We are referring to the current General Data Protection Regulation, whose penalties for breaching security obligations can reach millions of dollars.
2. Cases of compliance-based cyberattacks
This is what happened with the extortion of the company Meridianlink, which, after the last cyberattack caused by Ransomed, was reported to the US SEC for not having properly notified the incident, thus failing to comply with the applicable regulations. Such thing could imply, for the affected company, a penalty of an amount significantly higher than the amounts demanded by the cyberattackers for not reporting the incident.
In this case, the mechanics followed by the criminals consist of causing a security incident, as it has always been done, but the difference lies in the strategy used. Which means that the payment they request from their victims is calculated based on the eventual sanction that would be applied to the affected company for not having implemented the appropriate security measures and not having notified the incident, being obliged to do so. Indeed, in these cases, the cybercriminals themselves who caused the security breach report the affected company to the supervisory authority, providing evidence of the reality of the incident in question (who else if not the person responsible of the crime to prove that the incident has occurred and is real) and of the failure of the affected company to comply with the applicable regulations if the incident has not been reported to the authorities in a timely manner to the authorities.
In this way, the chance of the company considering the payment of the requested amounts increases significantly, instead of risking being sanctioned to pay the fines imposed by the regulator, especially in view of the complaint and evidence that the cybercriminals responsible for the incident may have provided. To this scenario can be added the possible reputational crisis that, for the company, such action would cause.
3. Balancing compliance and resilience: clarifying company responses to Cybersegurity Incidents
That is why it seems advisable to develop a doctrine that clarifies to companies what the position of the control authorities will be when analysing possible complaints received from the organised gangs of criminals causing the cybersecurity incident, which they report and easily prove with evidence.It is true that companies must comply with the security and transparency obligations required of them by the applicable regulations. However, other mitigating factors must also be considered, such as the fact that the company refuses to submit to extortion, almost certainly facing a sanctioning procedure, but showing some diligence in its reactive management of the incident.
Article provided by INPLP members: Francisco Perez Bes and Esmeralda Saracibar (ECIX Group, Spain)
Dr. Tobias Höllwarth (Managing Director INPLP)