For most organisations, ransomware is currently their biggest cyber threat. Currently in New Zealand, we only hear about the headline cases that have impacted Kiwis – such as Travelex, Toll, Lion and Fisher & Paykel Appliances. This year however thousands of New Zealand organisations have likely been impacted such incidents and demands to pay a ransom. And with new privacy regulations coming into force in December, disclosure will immediately be mandatory for some cyber incidents.
However, the legality of paying a ransom is now in question. Whilst the ethics of encouraging cyber criminals by paying ransoms has long been a question, it’s now been indicated by the United States Treasury that organisations and their insurers risked violating regulations if they pay ransoms to cyber criminals.
Because cyber criminals may reside in countries which New Zealand (amongst other countries) has placed financial sanctions on this could put people and organisations at as one potential penality is up to 1-year in jail if they pay a ransom that ultimate ends up in such as country. It’s worth noting that we have sanctions in place against North Korea which is a state considered as a heavily focussed on cyber attacks – with an estimated 7,000 operatives trained in cyber attack methods and cyber warfare.
The role of insurance companies may be changing too, as policies which paying ransoms are expected to rise in line with the dramatic increase in ransom costs of some 10-time since early 2019. Add to this the legal issues with paying a ransom and the option of having your insurance company provide this support may disappear.
It’s my opinion organisations that don’t have confidence they can withstand a cyber-attack should promptly get a cyber security audit initiated and also put in place cyber security awareness training. If you don’t already have a favored partner to assist with cyber security matters, my team a Gorilla Cyber Security can help with.