Blog

Colonial Pipeline Breach: Moving the Needle on Ransomware Regulations

Written by Robert H. Rosenzweig | Jun 17, 2021 4:00:00 AM

Another major ransomware attack is altering the U.S. cybersecurity landscape. The Colonial Pipeline ransomware attack resulted in the temporary closure of one of the largest oil pipelines in the country. Even with operations resuming – and a temporary fuel shortage scare over – the incident is far from resolved. The government has announced new cyber security requirements for private business. With cyber insurance policy rates on the rise, these mandates could lead to steep rate spikes in an already hard market.

What Happened?

Colonial Pipeline is one of the largest pipeline operators in the U.S. It provides fuel to much of the East Coast, filling tanks at gas stations and delivering jet fuel to airports. According to the company’s statement released on May 7, 2021, their network was hit by a cybersecurity attack. They temporarily shut down operations in order to contain the threat, hired a third-party cybersecurity firm to investigate the incident, and alerted law enforcement and federal agencies.

The exact details have not been revealed by Colonial Pipeline, but we do know that data was held hostage by a ransomware variant that has been linked to the DarkSide hacking group. In order to access its data, Colonial Pipeline paid almost $5 million as ransom and, while still investigating the incident, began to slowly resume operations. Despite the company’s quick response, this incident raised several important issues that are not going away: When is it appropriate to pay a ransom? And what are the implications if an energy company like Colonial Pipeline, with so many businesses tied to its supply chain, does not pay?

Rules & Regulations

The Office of Foreign Assets Control (OFAC) has issued guidance for companies when dealing with criminal cyber groups. Businesses and insurers are not permitted to pay ransom to groups that have been linked to the OFAC’s Specially Designated Nationals and Blocked Persons List and insurers have been proceeding with extra caution in light of this new guidance but, for over half a year, this warning had been the only substantial change guiding ransom practices.

DarkSide has potential ties to groups on the OFAC sanctions list – which is why in other cases insurance carriers have been unable to reimburse DarkSide extortion demands. The federal government’s policy, as articulated by President Biden’s press secretary, is that paying ransom to these groups is “not constructive,” as the money could be used to fund more attacks. However, it is not at all clear that refusing to pay ransoms will stop the frequency of attacks – if anything, they may increase their efforts.

Businesses, moreover, often have to prioritize the financial side of the problem and consider the potential losses associated with IT downtime, business interruption, and lost data that may not be backed up. There may be lawsuits as well, from businesses that were impacted by the attack. These could range from trucking and gas companies to airlines – anyone who faced business interruption losses due to a ransomware attack at the other end of the supply chain. The potential downstream implications are huge.

Post-Colonial Pipeline

Federal agencies are now taking steps to restrict companies’ ability to pay ransom. The Transportation Security Administration (TSA) plans to release two security directives that will require pipeline operators to report cyberattacks to them and to designate a “point person” for cybersecurity. Compliance with these measures has been voluntary, but no longer.

The TSA hopes this will be the beginning of straightforward and enforceable federal guidance. The potential implications of this change could move beyond the pipeline and energy sectors, creating an environment where businesses are unable to free themselves from a financial chokehold, and insurers cannot work with companies to make extortion payments.

Businesses should be prepared for some short-term pain in the coming months and years as these new proposals are worked out. Nobody wants more cyberattacks and disrupted supply chains; all parties – businesses, insurers and government agencies – will have to find a path towards preventing them together.

Want to learn more?

Find me on LinkedIn, here.

Connect with the Risk Strategies Cyber Risk team at cyber@risk-strategies.com.

Email me directly at rrosenzweig@risk-strategies.com.