Comprehensive preparation will contain fall-out from ransomware attacks
Ransomware attacks have been rising and it is companies that have a high level of preparedness that are weathering the storm, according to Wendy Tembedza and Karl Blom, partners in Webber Wentzel’s Telecommunications, Media and Technology team. The Sophos State of Ransomware in South Africa 2023 report found that 78% of South African organisations surveyed had experienced an attack in the preceding year, up from 51% in the 2022 survey.
Ransomware attacks introduce malicious software into a company’s systems.
“The usual pattern our clients experience is that late on a Friday evening or a Saturday morning, company management is notified by the IT department that the company has lost access to essential files, and has received a demand for money, usually in the form of Bitcoin, to release the files,” says Blom.
“Typically, up to six months before the event, a hacker has accessed the company’s system and stored a virus that gathered confidential information. Once enough information has been accumulated, the hacker locks down the files.”
Tembedza urges companies to put a three-step strategy in place. The first is to mitigate the risk before any event occurs, the second is to manage an event and the third step is to review controls and processes regularly, given that technology and threats are constantly evolving.
Tembedza says companies should ensure they have taken reasonable steps to protect their systems, taking into consideration the particular types of breaches to which they are susceptible. The Protection of Personal Information Act (POPI) requires companies to have appropriate, reasonable and technical organisational measures in place. This involves assessing access controls, policies relating to the utilisation of IT infrastructure and procedures for regular maintenance and review of safety systems.
Organisations must have a plan to deal with a data breach (in this case, a ransomware attack) that sets out how employees should act, who they must notify and how the organisation will approach the Information Regulator and affected data subjects to notify them of the incident.
Blom says a highly regulated entity operating in a sector such as banking, financial service, healthcare and even education may have to comply with requirements specific to that sector, in addition to POPI.
Two other laws apply along with POPI in the event of a ransomware incident, he says. The first is the Prevention and Combating of Corrupt Activities Act (PRECCA), which requires a company to notify the South African Police Services (SAPS) when certain crimes like fraud or extortion, with a value of over ZAR 100 000, are committed. The second relevant law is the Cyber Crimes Act. A financial institution or telecommunications network operator that suffers any cyber crime (which could be a broad range of crimes from fraud to extortion) must report the crime to the SAPS (although this requirement is currently suspended).
If a data breach has occurred (arising out of the ransomware attack), POPI requires that certain steps be taken, primarily relating to notification, says Tembedza. This includes notifying:
- Affected data subjects; and
- The Information Regulator
- As soon as reasonably possible following the event.
Employees must follow the company’s procedures when making any notifications.
The company should notify its insurers, assuming it has insurance in place to cover cyber attacks. Where insurance is in place, the company must ensure that it adheres to the terms of its policy.
It is important to take legal advice on what actions are permissible to recover your information and systems following a ransomware attack. While often unlikely, certain actions may create further liability for a victim (for example, making payment of a ransomware amount to an attacker in a sanctioned country or attempting to pursue a 'vigilante-type' response).
One should also consider whether it is necessary to brief public relations firms (through your attorneys) to explain the incident to data subjects and to ensure that what is said is both legally sufficient and expressed in a way that best protects the company’s reputation, says Blom.
In all cases, companies that fare the best in these situations are those that:
- Respond to the incident quickly.
- Have taken reasonable precautions (such as implementing robust backup systems).
- Hold appropriate insurance cover (and adhere to those terms).
- Brief attorneys prior to notifying their insurers, affected data subjects and the Information Regulator.
- Where necessary, brief forensic investigators and/or public relations experts through their attorneys.
Listen to Tembedza and Blom, dive into the alarming and rapidly evolving world of these cyber threats, here.