foreign jurisdictions and regimes with whom U.S. citizens and companies are prohibited from doing business. However, the FBI recommends not paying a ransom. 8. Can dealers negotiate the ransom on their own? Ransom groups are typically sophisticated international criminals, and we recommend engaging a professional negotiator. These professionals have studied ransom groups and developed strategies for the negotiation process based on analysis of available information from prior group activities. 9. How is a ransom paid? Ransom payments are facilitated by professional vendors who typically set up a Bitcoin (or similar cryptocurrency) wallet for the payment once the OFAC check has cleared. 10. If the ransom is paid, is the attack over? No. The organization will need to ensure the threat actors are no longer in their systems. In addition, it may take time to restore impacted systems and data. If the organization pays for a decryption key, there is a risk the key may not work, and, in some cases, the encryption activity may have corrupted the data so it cannot be recovered. Additionally, the organization may need to monitor the dark web to determine if the threat actor has released any of the stolen data. 11. What steps can dealers take to minimize the risk of being the victim of an attack? There are a number of steps, but the most important include: • Regularly updating the organization’s software and operating systems with the latest patches. • Removing outdated applications and operating systems. According to CISA, these are the target of most attacks since older systems typically do not have updated security controls. • Providing employees with regular security awareness training to help minimize the risk of opening attachments or clicking on links in unsolicited or suspicious emails. • Routinely backing up sensitive data and maintaining it in a segregated offline form. • Reviewing and updating the organization’s written information security program (WISP) and monitoring compliance. A WISP outlines how the organization will protect certain sensitive information. This is particularly important if the organization is subject to the FTC Safeguards Rule which requires implementing an appropriate written information security program. • Ensuring the organization’s IT staff has the training and tools needed to keep systems updated and the resources to stay updated on the threat landscape. 12. What steps can dealers take to prepare for responding to a ransomware attack? There are several key steps to consider taking: • Understanding the terms of the organization’s cyber coverage and who to contact in the event of an attack. • Reviewing and updating the organization’s written Incident Response Plan (IRP). This is not a technical plan but rather an administrative plan that lays out who is on the incident response team, their role and responsibilities, the steps to take during an incident, what contractual and legal reporting obligations may apply (e.g., the FTC’s updated Safeguards Rule and breach reporting obligations), how you will handle internal and external communications, and related information. • Practicing the IRP. • Ensuring the organization’s IT team understands how to preserve evidence of the attack. • Ensuring the organization’s data is regularly backed up, offline, and viable. • Reviewing and updating the organization’s business continuity plan to prepare for potential disruption to business operations (invoicing, payment processing, etc.). 13. What type of reporting obligations for the organization may be triggered by the attack? This will depend on the organization and the nature of the data impacted. For example, state data breach notification laws may apply depending on the type of personally identifiable information impacted. Notably, the applicable state law(s) will be determined based on the state of residence of the impacted individuals (which may be multiple states and thus multiple laws in scope). The amended FTC Safeguards Rule requires notifying the FTC within 30 days of discovering certain types of data breaches. Organizations that self-fund their employee health or wellness plans may be subject to a notification and reporting obligation under HIPAA if protected health information is impacted. In addition, the organization may have contractual obligations to notify a business partner, bank, or other third party if it experiences a security incident. Ransomware attacks can cause a wide range of harm to any organization — business interruption, economic loss, reputational harm, investigation and legal costs, and loss of sensitive or proprietary information. Staying informed on the evolving risk landscape, data mapping to understand where the organization’s sensitive data resides, conducting regular system risk assessments, and practicing the Incident Response Plan are basic steps to help strengthen the organization’s resilience and ability to respond in the event of an attack. For additional information and resources on ransomware attacks, visit the websites for NJ Cybersecurity & Communications Integration Cell, CISA, and FBI. 20 NEW JERSEY auto retailer
RkJQdWJsaXNoZXIy MTg3NDExNQ==