When hit with a cybersecurity attack, organizations are often not inclined to bring in federal law enforcement. Recent comments by FBI Director Christopher Wray at Mandiant’s annual mWISE 2023 conference seek to encourage the private sector to reconsider, as reported in CIODive. Doing so is an important consideration and depending on certain factors, it may be required.
According to the article, Director Wray attempted to reassure conference attendees:
“We know the private sector hasn’t always been excited about working with federal law enforcement, but when you contact us about an intrusion, we won’t be showing up in raid jackets, instead we’ll treat you like the victims you are – just like we treat all victims of crimes.”
According to the U.S. Government Accountability Office, “the U.S. is less prepared to fight cybercrime than it could be” – the title of a recent GAO blog published in August 2023. There are several reasons for this, according to the GAO, one of which is public hesitancy to report attacks. That hesitancy stems from:
- Apprehension about public disclosure, loss of privilege
- Concerns about the organization’s reputation
- Unsure about what agency to which to report the attack
- Unclear that law enforcement can do anything about the attack, diminishing the incentive to report
- Some organizations are more inclined to contact local law enforcement
See GAO full report.
Director Wray pointed to some successes his agency has had with disrupting criminal operations and cyber-attacks in the U.S. One example is the takedown of Qakbot, malware that reportedly had infected more than 700,000 computers worldwide and 200,000 in the U.S.
An organization’s hesitancy to report a cybercrime to federal law enforcement may have to yield to emerging reporting mandates. These include, without limitation:
- Department of Homeland Security. According to the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (Act), entities in the critical infrastructure sector must report to the Department of Homeland Security (DHS) certain cyber incidents within 72 hours, and ransom payments within 24 hours of making the payment. As regulations to implement these requirements near, DHS recently announced a common platform for reporting cyber incidents.
- Securities and Exchange Commission. This summer, the Securities and Exchange Commission (SEC) adopted rules to enhance and standardize disclosures by public companies regarding cybersecurity risk management, strategy, governance, and incidents. In short, material cybersecurity incidents must be reported within four (4) business days.
- National Credit Union Administration. The National Credit Union Administration (NCUA) recently finalized regulations that became effective September 1, 2023. Under the final rule, federally insured credit unions must notify the NCUA as soon as possible but no later than 72 hours after the Federally Insured Credit Union (FICU) reasonably believes that a reportable cyber incident has occurred.
Another reason to consider reporting a cyber-attack has to do with minimizing exposure to civil liability under regulations enforced by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC). In general, U.S. law prohibits U.S. persons from engaging in transactions, directly or indirectly, with certain individuals or entities – this includes ransom payments. According to OFAC guidance, the agency:
may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC.
However, OFAC will consider certain factors that could minimize exposure to penalties. One of those factors is reporting ransomware attacks to appropriate U.S. government agencies and cooperating with OFAC, law enforcement, and other relevant agencies.
Of course, decisions regarding whether, when, how, and to whom to report a cyber-attack should be thought through carefully, with experienced counsel, considering the circumstances and related issues. Whether Director Wray will see an uptick in reporting and be able to use that information to help thwart more attacks remains to be seen.