Ransomware schemes cost organizations in the U.S. and other countries millions of dollars, primarily to recover the ransomed data in order to resume business operations. Ransomware is a form of malware that encrypts files on a device and renders them unusable unless a ransom is paid to decrypt and restore the files.
One of the most active ransomware groups in the world has targeted over 2,000 victims, demanded ransoms totaling hundreds of millions of dollars, and extorted more than $120 million in ransom payments.
Enacted two years ago, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) represents an important milestone in improving America’s cybersecurity. The Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report cyber incidents and ransomware payments to the agency. CISA is responsible for protecting the nation's critical infrastructure from physical and cyber threats, including ransomware. Reporting and data sharing are a vital component of that protection in both public and private sectors.
Timeline for Law to Take Effect. Because CIRCIA grants CISA certain regulatory powers, CISA must complete mandatory rulemaking activities before the reporting requirements go into effect. To that end, CISA developed a Notice of Proposed Rulemaking, which was published on April 4, 2024 in the Federal Register and is open for public comment until June 3, 2024. All agency and public comments will be considered in developing the Final Rule, which CISA must publish not later than October 4, 2025.
Voluntary Reporting is Encouraged Now. Cyber incident and ransomware payment reporting under CIRCIA will be mandatory once the CIRCIA Final Rule goes into effect. Until then, all entities are urged to share cyber incident information with CISA on a voluntary basis. When information is shared quickly, damage control can be much more effective. CISA can rapidly deploy resources and render assistance to victims suffering attacks, analyze incoming reporting across sectors to identify trends, and quickly share that information with network defenders to warn other potential victims.
Addressing ransomware is an important element of the Act, which encompasses several initiatives, including:
CISA encourages all organizations to share information about unusual cyber activity and cyber incidents via cisa.gov/report.
Amending the state’s landmark Cybersecurity Act of 2021, House Bill 7055 took effect July 1, 2022. It requires the Florida Digital Service (FLDS) and state agency heads to further strengthen cybersecurity by complying with specific new requirements. Following are highlights.
A new cybersecurity law in North Carolina also took effect in 2022. It prohibits state agencies and local governments from communicating with cybercriminals during a ransomware attack and from paying ransoms if they become victims of an attack. The intent of this law is to discourage ransomware criminals from targeting agencies and local governments in North Carolina since they will reap no profits. In practice, the new law requires state agencies and local governments, including public schools and universities, to become much more proactive in safeguarding their data to avoid being targeted by ransomware and other cybercriminals.
Several other states have pending legislation under review, including Pennsylvania and Texas.
Proactive cybersecurity measures are crucial to robust cybersecurity programs that effectively safeguard sensitive federal and state information and reduce vulnerability to ransomware and other cybercrimes. The following measures are recommended by the FBI.
In addition, employees and management should receive regular cybersecurity awareness training, including how to recognize phishing schemes, which often lead to ransomware attacks.
Ransomware continues to be a highly profitable business for cybercriminals, and costs organizations millions of dollars each year. In response, U.S. federal and state ransomware laws have been enacted to compel more effective cybersecurity behaviors. At the federal level, the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) requires covered entities to report cyber incidents and ransomware payments to the Cybersecurity and Infrastructure Security Agency (CISA).
At the state level, Florida is a leader in specifying more effective cybersecurity practices among state agencies and local governments, which are attractive ransomware targets. The new Florida ransomware law imposes criminal penalties and fines for ransomware offenses, prohibits state and local entities from paying ransoms and otherwise complying with ransomware demands, and requires that ransomware and other high-severity cyber incidents be reported promptly to designated authorities.